diff --git a/security/expressions.rst b/security/expressions.rst
index 82a2aebee31..87aa4388ab6 100644
--- a/security/expressions.rst
+++ b/security/expressions.rst
@@ -39,9 +39,9 @@ Inside the expression, you have access to a number of variables:
 ``user``
     The user object (or the string ``anon`` if you're not authenticated).
 ``roles``
-    The array of roles the user has, including from the
-    :ref:`role hierarchy <security-role-hierarchy>` but not including the
-    ``IS_AUTHENTICATED_*`` attributes (see the functions below).
+    The array of roles the user has. This array includes any roles granted
+    indirectly via the :ref:`role hierarchy <security-role-hierarchy>` but it
+    does not include the ``IS_AUTHENTICATED_*`` attributes (see the functions below).
 ``object``
     The object (if any) that's passed as the second argument to ``isGranted()``.
 ``token``