From 9faf9ecf2081422bd2e8f46d795a1a2a01bfa7a7 Mon Sep 17 00:00:00 2001
From: 317brian <53799971+317brian@users.noreply.github.com>
Date: Fri, 19 May 2023 14:56:24 -0700
Subject: [PATCH] docs: add line about write datasource perm for overlord api
 (#14114)

Co-authored-by: Katya Macedo  <38017980+ektravel@users.noreply.github.com>
---
 docs/multi-stage-query/security.md | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/docs/multi-stage-query/security.md b/docs/multi-stage-query/security.md
index dcbb68f545e..9a9e02b0ea1 100644
--- a/docs/multi-stage-query/security.md
+++ b/docs/multi-stage-query/security.md
@@ -43,12 +43,18 @@ To submit a query:
 Once a query is submitted, it executes as a [`query_controller`](concepts.md#execution-flow) task. Query tasks that
 users submit to the MSQ task engine are Overlord tasks, so they follow the Overlord's security model. This means that
 users with access to the Overlord API can perform some actions even if they didn't submit the query, including
-retrieving status or canceling a query. For more information about the Overlord API and the task API, see [APIs for SQL-based ingestion](../api-reference/sql-ingestion-api.md).
+retrieving status or canceling a query. For more information about the Overlord API and the task API, see [APIs for
+SQL-based ingestion](../api-reference/sql-ingestion-api.md). 
+
+> Keep in mind that any user with access to Overlord APIs can submit `query_controller` tasks with only the WRITE DATASOURCE permission.
+
+Depending on what a user is trying to do, they might also need the following permissions:
+
+- `INSERT` or `REPLACE` queries: Users must have DATASOURCE READ permission on the output datasource.
+- `SELECT` queries: Users must have READ permission on the `__query_select` datasource, which is a stub datasource that gets created.
+  
 
-To interact with a query through the Overlord API, users need the following permissions:
 
-- `INSERT` or `REPLACE` queries: Users must have READ DATASOURCE permission on the output datasource.
-- `SELECT` queries: Users must have read permissions on the `__query_select` datasource, which is a stub datasource that gets created.
 
 ## S3