diff --git a/docs/secrets.md b/docs/secrets.md
index 551083034..9b7519fba 100644
--- a/docs/secrets.md
+++ b/docs/secrets.md
@@ -20,6 +20,8 @@ Each secret is assigned a functional role which indicates what it is used for. T
 * IKE key strings
 * Routing protocol shared secrets
 
+Roles are also used to control access to secrets. Each role is assigned an arbitrary number of groups and/or users. Only the users associated with a role have permission to decrypt the secrets assigned to that role. (A superuser has permission to decrypt all secrets, provided they have an active user key.)
+
 ---
 
 # User Keys