diff --git a/lib/mv/authorization/permission_sets.ex b/lib/mv/authorization/permission_sets.ex
index 11ddb5a..22132cb 100644
--- a/lib/mv/authorization/permission_sets.ex
+++ b/lib/mv/authorization/permission_sets.ex
@@ -95,7 +95,9 @@ defmodule Mv.Authorization.PermissionSets do
   def get_permissions(:own_data) do
     %{
       resources: [
-        # User: Can always read/update own credentials
+        # User: Can read/update own credentials only
+        # IMPORTANT: "read_only" refers to member data, NOT user credentials.
+        # All permission sets grant User.update :own to allow password changes.
         %{resource: "User", action: :read, scope: :own, granted: true},
         %{resource: "User", action: :update, scope: :own, granted: true},
 
@@ -125,6 +127,8 @@ defmodule Mv.Authorization.PermissionSets do
     %{
       resources: [
         # User: Can read/update own credentials only
+        # IMPORTANT: "read_only" refers to member data, NOT user credentials.
+        # All permission sets grant User.update :own to allow password changes.
         %{resource: "User", action: :read, scope: :own, granted: true},
         %{resource: "User", action: :update, scope: :own, granted: true},
 
@@ -157,6 +161,8 @@ defmodule Mv.Authorization.PermissionSets do
     %{
       resources: [
         # User: Can read/update own credentials only
+        # IMPORTANT: "read_only" refers to member data, NOT user credentials.
+        # All permission sets grant User.update :own to allow password changes.
         %{resource: "User", action: :read, scope: :own, granted: true},
         %{resource: "User", action: :update, scope: :own, granted: true},