diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-security-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-security-context.xml
index 2e21669949..60ca183ea8 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-security-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-security-context.xml
@@ -5,6 +5,7 @@
 
    <!--  Assignable Capabilities -->
    
+   <!-- controls user and group creation/destruction -->
    <bean id="rmCreateModifyDestroyUsersAndGroupsCapability"
       parent="declarativeCapability">
       <property name="name" value="CreateModifyDestroyUsersAndGroups" />
@@ -21,6 +22,7 @@
       <property name="index" value="30" />
    </bean>
 
+   <!--  controls user and gropus role assignments -->
    <bean id="rmManageAccessControlsCapability"
       parent="declarativeCapability">
       <property name="name" value="ManageAccessControls" />
diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml
index 176cf86aad..75b0792b6f 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml
@@ -551,8 +551,8 @@
                 org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.getUsersAssignedToRole=RM.Read.0
                 org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.getGroupsAssignedToRole=RM.Read.0
                 org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.getAllAssignedToRole=RM.Read.0
-                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.assignRoleToAuthority=RM_CAP.0.rma:filePlanComponent.CreateModifyDestroyUsersAndGroups
-                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.unassignRoleFromAuthority=RM_CAP.0.rma:filePlanComponent.CreateModifyDestroyUsersAndGroups
+                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.assignRoleToAuthority=RM_CAP.0.rma:filePlanComponent.ManageAccessControls
+                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.unassignRoleFromAuthority=RM_CAP.0.rma:filePlanComponent.ManageAccessControls
                 org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.getAllRolesContainerGroup=RM_ALLOW
                 org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.*=RM_DENY
                 ]]>