diff --git a/doc/env-settings.md b/doc/env-settings.md
index d3e171938..b313ad429 100644
--- a/doc/env-settings.md
+++ b/doc/env-settings.md
@@ -95,6 +95,7 @@ List of [users](models.md#user) and [roles](models.md#role) giving them permissi
 
 ### LAYMAN_ROLE_SERVICE_URI
 URL of [Role Service](security.md#role-service) with DB schema in format `postgresql://<username>:<password>@<host>:<port>/<dbname>?schema=<schema_name>`. URL scheme must be `postgresql`. URL host must be mentioned explicitly, as well as DB schema in `schema` URL query parameter. If you want to use [internal role service schema](security.md#internal-role-service-schema) provided by Layman, set value to `postgresql://<LAYMAN_PG_USER>:<LAYMAN_PG_PASSWORD>@<LAYMAN_PG_HOST>:<LAYMAN_PG_PORT>/<LAYMAN_PG_DBNAME>?schema=_role_service` (replace variable names with their values).
+Password is stored as plaintext in GeoServer config file. One of solutions of this security issue is to create DB user exclusively for this purpose with read-only rights for role-service tables/views.
 
 ## Layman Test Client Settings