diff --git a/README.md b/README.md
index aae30ea..ada0483 100644
--- a/README.md
+++ b/README.md
@@ -185,6 +185,10 @@ Their `list` permission only begins one lever deeper at `kv/list/for_rbacgroup_z
 https://f.q.d.n/ui/vault/secrets/kv/list/for_rbacgroup_zabbix
 ```
 
+### Permission to create orphan tokens
+
+The next example will explain orphan tokens. If you've followed examples above your Vault instance will have an `administrators` group with an `administrator` policy assigned to it. Users in that group will already have `write` access to `auth/token/create-orphan` so you can just use one of your `administrators` entities to follow along.
+
 ## Clean-up
 
 If during any of the above steps you've used the Vault command-line client to authenticate against Vault with your `root` token make sure that client's `~/.vault-token` file is deleted. It contains the verbatim `root` token.