From d188a70ff561aa448ac4bc26a288a21df4b4ed45 Mon Sep 17 00:00:00 2001
From: irl <iain@learmonth.me>
Date: Sat, 20 Dec 2025 13:16:09 +0000
Subject: [PATCH] docs: add note on become convention

---
 README.md | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 8505c0a..8b26da8 100644
--- a/README.md
+++ b/README.md
@@ -9,10 +9,18 @@ collections:
   - src: git+https://guardianproject.dev/sr2/ansible-collection-core.git
     version: "main"
 roles:
-  - src: git+https://github.com/ansible-lockdown/RHEL9-CIS.git
-    version: "2.0.3"
+  - src: git+https://guardianproject.dev/sr2/RHEL9-CIS.git
+    version: "2.0.3-become"
 ```
 
+## Convention
+
+We assume that these roles will be run initially as root, and then as an unprivileged user after initial bootstrap.
+Some hardening may only be performed in the second run when we can see that the unprivileged user access is configured
+and root access is no longer required.
+If anything fails due to permissions when running as an unprivileged user, please report that in our
+[issue tracker](https://guardianproject.dev/sr2/ansible-collection-core/issues).
+
 ## Licence
 
 Copyright &copy; SR2 Communications Limited 2021-2025.