diff --git a/source/reference/built-in-roles.txt b/source/reference/built-in-roles.txt
index ae5ab890cad..4d78a9dea87 100644
--- a/source/reference/built-in-roles.txt
+++ b/source/reference/built-in-roles.txt
@@ -146,11 +146,9 @@ Every database includes the following database administration roles:
 
 .. authrole:: userAdmin
 
-   Provides the ability to create and modify roles and users on the current
-   database. This role also indirectly provides :ref:`superuser <superuser>`
-   access to either the database or, if scoped to the ``admin`` database, the
-   cluster. The :authrole:`userAdmin` role allows users to grant any user any
-   privilege, including themselves.
+   Provides the ability to create and modify roles and users for a database.
+   A user with this role on a database can assign any role or privilege
+   to any user for that database, including themselves.
 
    The :authrole:`userAdmin` role explicitly provides the following actions:
 
@@ -165,6 +163,17 @@ Every database includes the following database administration roles:
    - :authaction:`viewRole`
    - :authaction:`viewUser`
 
+   .. warning::
+
+      It is important to understand the security implications of granting the
+      :authrole:`userAdmin` role: a user with this role for a database can
+      assign themselves any privilege on that database. Granting the
+      :authrole:`userAdmin` role on the ``admin`` database has further
+      security implications as this indirectly provides
+      :ref:`superuser <superuser>` access to a cluster. With ``admin``
+      scope a user with the :authrole:`userAdmin` role can grant cluster-wide
+      roles or privileges including :authrole:`userAdminAnyDatabase`.
+
 .. _cluster-admin-roles:
 .. _admin-roles: