docs(tenants): add deniedServices to tenant dedicated backends

content/docs/06.enterprise/02.governance/tenants.md

@@ -154,3 +154,23 @@ Note that this feature has been introduced in Kestra 0.20.0. If you are using an
 
 Also, make sure to use `camelCase` notation. For example, if you want to use the `GCS` storage backend, you should use `projectId` as the value rather than `project-id`.
 ::
+
+### Isolate Kestra Services
+
+When using [Dedicated Storage or Secret backends](./tenants.md#dedicated-storage-and-secrets-backend-per-tenant), you can isolate specific [Kestra services](../../07.architecture/02.server-components.md) to prevent them from accessing the storage or secret backend. For example, you may not want the [Webserver](../../07.architecture/08.webserver.md) to be able to access the dedicated internal storage. This isolation is intended for Kestra instances where multiple teams or organizations share access, but storage or secret data access must be limited to specific segments.
+
+The configuration utilizes the `deniedServices` property with a list of the services to isolate. Take the following as an example using `storage` (this can be replaced with `secret` for a dedicated secret backend), where the Executor and Webserver must be isolated:
+
+```yaml
+kestra:
+  storage:   # or secret
+    isolation:
+      enabled: true
+      deniedServices: [EXECUTOR, WEBSERVER]
+```
+
+For additional configuration details, refer to dedicated [Secrets backend](../../configuration/index.md#secret-managers) and [Internal Storage](../../configuration/index.md#internal-storage) in the configuration guide.
+
+::alert{type="info"}
+If this feature is enabled some UI or flow execution capabilities may not work as expected. If unsure, contact support.
+::