diff --git a/lib/models/acl.js b/lib/models/acl.js
index 6a155f9a..d7f18b6f 100644
--- a/lib/models/acl.js
+++ b/lib/models/acl.js
@@ -138,7 +138,12 @@ ACL.getMatchingScore = function getMatchingScore(rule, req) {
     }
   }
 
-  // Weigh agaist the principal type
+  // Weigh against the principal type into 4 levels
+  // - user level (explicitly allow/deny a given user)
+  // - app level (explicitly allow/deny a given app)
+  // - role level (role based authorization)
+  // - other
+  // user > app > role > ...
   score = score * 4;
   switch(rule.principalType) {
     case ACL.USER:
@@ -155,6 +160,7 @@ ACL.getMatchingScore = function getMatchingScore(rule, req) {
   }
 
   // Weigh against the roles
+  // everyone < authenticated/unauthenticated < related < owner < ...
   score = score * 8;
   if(rule.principalType === ACL.ROLE) {
     switch(rule.principalId) {