commit 9fe3026f7e1d7086fe6f22f03a8ac1dfcb53ed0e
author Shawn McKinney <smckinney@apache.org> Sat Mar 16 18:25:27 2019 -0500
committer Shawn McKinney <smckinney@apache.org> Sat Mar 16 18:25:27 2019 -0500
tree 6a5df2177340d887675175a5302d6c89fed6958e
parent 58cc7e424da1373a21c259e78c7bfbc2ebacce2f

more cleanup

README-SECURITY-MODEL.md

diff --git a/README-SECURITY-MODEL.md b/README-SECURITY-MODEL.md
index b01809d..8935f00 100644
--- a/README-SECURITY-MODEL.md
+++ b/README-SECURITY-MODEL.md
@@ -119,9 +119,9 @@
                                          
 3. Some APIs on the *AdminMgr* do organization checks, matching the org on the admin role with that on the target.  There are two types of organziations, User and Permission.
 
- For example, de/assignUser(User, Role) will verify that the caller has an ADMIN role with a matching user org unit, *userOU*, on the target user.
+ For example, de/assignUser(User, Role) will verify that the caller has an ADMIN role with a matching user org unit that matches the ou of the target user.
   
- There is similar check on grant/revokePermission(Role, Permission), where the caller must have activated ADMIN role matching the perm org unit, *permOU*, corresponding with the permission being targeted.
+ There is similar check on grant/revokePermission(Role, Permission), where the caller must have activated ADMIN role matching the perm org unit that matches the ou on the target permission.
 
  The complete list of APIs that enforce range and OU checks follow: