diff --git a/README.md b/README.md
index c749c0b30508b93fafdfc1d69b8919b1ea505930..6c779b71b30f608ea0de02e1eacd84705615641f 100644
--- a/README.md
+++ b/README.md
@@ -120,7 +120,8 @@ it wouldn't be safe for them to trust this information anyway, unless
 they have a way to ensure it comes only from the trusted sso-proxy
 (perhaps using TLS or other forms of transport verification). Finally,
 *sso-proxy* only handles incoming requests based on their Host
-attribute, not the request path.
+attribute, not the request path. And the only access control rules
+currently supported are group-based.
 
 The proxy server has its own configuration file, */etc/sso/proxy.yml*
 by default, which has the following attributes:
@@ -135,6 +136,8 @@ by default, which has the following attributes:
 * `backends` is the list of configured endpoints and associated
   backends, each entry has the following attributes:
   * `host` the HTTP host to serve
+  * `allowed_groups` is a list of the groups whose users will be
+    allowed access to the service
   * `upstream` is a list of *host:port* addresses for the upstream
     backends
   * `tls_server_name` allows you to explicitly set the value of the