From 612d233cd1bbe8c85dc7c3c1bb4e550d1b0f4030 Mon Sep 17 00:00:00 2001
From: Stephan de Wit <stephan.de.wit@deciso.com>
Date: Mon, 5 May 2025 16:18:03 +0200
Subject: [PATCH] review feedback

---
 source/manual/users.rst | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/source/manual/users.rst b/source/manual/users.rst
index ab7c2f47..c7e4b0b4 100644
--- a/source/manual/users.rst
+++ b/source/manual/users.rst
@@ -52,15 +52,12 @@ rights, called privileges.
 
 .. Note::
 
-    In most cases, the only reason for a user to exist on the firewall, is so their access
-    can be restricted for various services using group management.
-
-    For example, if a user is not restricted by a group, you would only need to provide a
-    valid certificate for this user to grant OpenVPN access in its most basic form.
-
-    This concept is also relevant when considering external authentication services
-    such as LDAP or RADIUS. Without group restrictions, no user synchronization from
-    LDAP or RADIUS to OPNsense is necessary to facilitate authentication.
+    It's not always required to have users in your local database, when the remote server
+    should merely answer the question if a user offers a valid user/password combination,
+    most services can just push this question to the authenticating server. Constraints
+    in some cases can be part of the authenticator as well. When the user should login
+    to the firewall (for example to change settings or download a profile), a local user
+    is always required as it serves as a linking pin to the ACL system.
 
 
 Authentication services