diff --git a/policy/tpa-rfc-7-root.md b/policy/tpa-rfc-7-root.md
index 0e88013bd234732449cb0ce0c2d69d3888fca1f7..d0c7ccd134161f88b4418ed87cefed8248246ede 100644
--- a/policy/tpa-rfc-7-root.md
+++ b/policy/tpa-rfc-7-root.md
@@ -78,15 +78,19 @@ concerns only membership to the TPA team and access to servers.
 
 Members of TPA SHOULD have all access levels defined above.
 
-Service admins MAY have access to some accesses. In general, they MUST
-have `sudo` access to some role account to manage their own service,
-but they MAY be granted LIMITED `root` access (through `sudo`) only on
-the server(s) which host the service they are admin for.
+Service admins MAY have some access to some servers. In general, they
+MUST have `sudo` access to a role account to manage their own
+service. They MAY be granted LIMITED `root` access (through `sudo`)
+only on the server(s) which host their service, but this should be
+granted only if there are no other technical way to implement the
+service.
 
 In general, service admins SHOULD use their `root` access in
 "read-only" mode for debugging, as much as possible. Any "write"
 changes MUST be documented, either in a ticket or in an email to the
-TPA team (if the ticket system is down). 
+TPA team (if the ticket system is down). Common problems and their
+resolutions SHOULD be documented in the [service documentation
+page](service).
 
 Service admins are responsible for any breakage they cause to systems
 while they use elevated privileges.