X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/05d6c99e5b40c7e0792c44a7c2d9af5b91164f9b..9816d2cf5f88d19e4e492c1e965874e5a5b3055c:/doc/api/permission-model.html.textile.liquid

diff --git a/doc/api/permission-model.html.textile.liquid b/doc/api/permission-model.html.textile.liquid
index baa300ad5f..8b085ee5aa 100644
--- a/doc/api/permission-model.html.textile.liquid
+++ b/doc/api/permission-model.html.textile.liquid
@@ -15,9 +15,11 @@ Each API transaction (read, write, create, etc.) is done on behalf of a person.
 
 A user (person) is permitted to act on an object if there is a path (series of permission Links) from the acting user to the object in which
 
-* Every intervening object is a Group or a User, and
+* Every intervening object is a Group, and
 * Every intervening permission Link allows the current action
 
+Special case: A permission path can also include intervening User objects if the links _to_ the Users are "can_manage" links.
+
 Each object has exactly one _owner_, which can be either a User or a Group.
 
 * If the owner of X is A, then A is permitted to do any action on X.
@@ -79,8 +81,8 @@ George has read-only access to the same set of accounts. This lets him see thing
 table(table table-bordered table-condensed).
 |Tail                   |Permission     |Head                      |Effect|
 |Group: Ashton Lab Admin|can_manage     |User: Lab Member 1        |Lab member 1 is in this administrative group|
-|Group: Ashton Lab Admin|can_manage     |User: Lab Member 2        |Lab member 1 is in this administrative group|
-|Group: Ashton Lab Admin|can_manage     |User: Lab Member 3        |Lab member 1 is in this administrative group|
+|Group: Ashton Lab Admin|can_manage     |User: Lab Member 2        |Lab member 2 is in this administrative group|
+|Group: Ashton Lab Admin|can_manage     |User: Lab Member 3        |Lab member 3 is in this administrative group|
 |Group: Ashton Lab Admin|can_manage     |User: Alison              |Alison is in this administrative group|
 |Group: Ashton Lab Admin|can_manage     |User: George              |George is in this administrative group|
 |Alison                 |can_manage     |Group: Ashton Lab Admin   |Alison can do everything the above lab members can do|