diff --git a/messages/en-US.json b/messages/en-US.json
index 6ee77a470..48ad74542 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -984,7 +984,7 @@
     "sharedPolicyNoneDescription": "This resource has its own policy.",
     "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
     "resourceSharedPolicyInheritedDescription": "This resource inherits authentication and access rules controls from <policyLink>{policyName}</policyLink>.",
-    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
     "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
     "resourceUsersRoles": "Access Controls",
     "resourceUsersRolesDescription": "Configure which users and roles can visit this resource",
diff --git a/server/routers/resource/addRoleToResource.ts b/server/routers/resource/addRoleToResource.ts
index 26cac1bf8..a1d493631 100644
--- a/server/routers/resource/addRoleToResource.ts
+++ b/server/routers/resource/addRoleToResource.ts
@@ -28,7 +28,8 @@ const addRoleToResourceParamsSchema = z
 registry.registerPath({
     method: "post",
     path: "/resource/{resourceId}/roles/add",
-    description: "Add a single role to a resource.",
+    description:
+        "Add a single role to a resource. When the resource has an inline policy defined (no shared resource policy assigned), the role is added to the inline policy instead of directly to the resource.",
     tags: [OpenAPITags.PublicResource, OpenAPITags.Role],
     request: {
         params: addRoleToResourceParamsSchema,
diff --git a/server/routers/resource/addUserToResource.ts b/server/routers/resource/addUserToResource.ts
index 4b095be84..ebe43fccd 100644
--- a/server/routers/resource/addUserToResource.ts
+++ b/server/routers/resource/addUserToResource.ts
@@ -28,7 +28,8 @@ const addUserToResourceParamsSchema = z
 registry.registerPath({
     method: "post",
     path: "/resource/{resourceId}/users/add",
-    description: "Add a single user to a resource.",
+    description:
+        "Add a single user to a resource. When the resource has an inline policy defined (no shared resource policy assigned), the user is added to the inline policy instead of directly to the resource.",
     tags: [OpenAPITags.PublicResource, OpenAPITags.User],
     request: {
         params: addUserToResourceParamsSchema,
diff --git a/server/routers/resource/setResourceRoles.ts b/server/routers/resource/setResourceRoles.ts
index bdab79982..681e00650 100644
--- a/server/routers/resource/setResourceRoles.ts
+++ b/server/routers/resource/setResourceRoles.ts
@@ -22,7 +22,7 @@ registry.registerPath({
     method: "post",
     path: "/resource/{resourceId}/roles",
     description:
-        "Set roles for a resource. This will replace all existing roles.",
+        "Set roles for a resource. This will replace all existing roles. When the resource has an inline policy defined (no shared resource policy assigned), roles are set on the inline policy instead of directly on the resource.",
     tags: [OpenAPITags.PublicResource, OpenAPITags.Role],
     request: {
         params: setResourceRolesParamsSchema,
diff --git a/server/routers/resource/setResourceUsers.ts b/server/routers/resource/setResourceUsers.ts
index 770769738..d292ccba2 100644
--- a/server/routers/resource/setResourceUsers.ts
+++ b/server/routers/resource/setResourceUsers.ts
@@ -22,7 +22,7 @@ registry.registerPath({
     method: "post",
     path: "/resource/{resourceId}/users",
     description:
-        "Set users for a resource. This will replace all existing users.",
+        "Set users for a resource. This will replace all existing users. When the resource has an inline policy defined (no shared resource policy assigned), users are set on the inline policy instead of directly on the resource.",
     tags: [OpenAPITags.PublicResource, OpenAPITags.User],
     request: {
         params: setUserResourcesParamsSchema,
diff --git a/server/routers/resource/updateResource.ts b/server/routers/resource/updateResource.ts
index 6ffe3d171..77603fe9f 100644
--- a/server/routers/resource/updateResource.ts
+++ b/server/routers/resource/updateResource.ts
@@ -239,7 +239,8 @@ const updateRawResourceBodySchema = z
 registry.registerPath({
     method: "post",
     path: "/resource/{resourceId}",
-    description: "Update a resource.",
+    description:
+        "Update a resource. Policy fields (sso, mfa, pincode, password, whitelist) update the inline policy when no shared resource policy is assigned; when a shared policy is assigned those fields override the shared policy for this resource only.",
     tags: [OpenAPITags.PublicResource],
     request: {
         params: updateResourceParamsSchema,