diff --git a/README.md b/README.md
index c95faf44c193598b52e68c4f489437007aae32d3..f812893ac13b7dc9acca555c5118fb4a2c10af69 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,4 @@
 
-
 #### Minimal Intro:
 - [SSO](https://lmddgtfy.net/?q=SSO): Single Sign On
 - SLO: Single Log Out
@@ -80,15 +79,12 @@ If you have `nginx` serving pages to users, you might need to configure `x-frame
 
 #### Groups and Permissions
 
-Users receive groups using SSO. For this to work, you need:
-  - some groups in your django project (see `django.contrib.auth` groups)
-  - groups with exactly the same names provided by the IDP
-    - create a group in the IDM
-    - make sure IDM provides it to the IDP
-    - make sure IDP provides it to your SP
-  - you might want to predefine some groups in the project settings (see `ssoauth` default config for details)
-    - these groups will be created automatically (when migrating) and will receive the specified permissions
-    - e.g. you probably want a superuser group, see the example below
+With `ssoauth` the only way to assign permissions is with groups:
+  - when user logs in, `ssoauth` receives group names from the IDP
+  - if your project has `django.contrib.admin` `Groups` with exactly the same names, as received from the IDP, these groups are assigned to the user (`django.contrib.auth` `User` is automatically created)
+  - all other groups and permissions are automatically removed from the user (so it's not possible to "patch" what IDP says with some extra rules in the project)
+
+You can predefine some groups in  project settings (see `ssoauth` default config for details). These predefined groups will be created automatically (when migrating). For example, a superuser group:
 
 ```python
 PREDEFINED_GROUPS = {