diff --git a/docs/content/general/tutorial.md b/docs/content/general/tutorial.md
index 54e1a070..5e959450 100644
--- a/docs/content/general/tutorial.md
+++ b/docs/content/general/tutorial.md
@@ -141,8 +141,6 @@ metadata:
   name: oil
 spec:
   owners:
-  - name: oil-users
-    kind: Group
   - name: system:serviceaccount:default:robot
     kind: ServiceAccount
 EOF
@@ -164,18 +162,18 @@ metadata:
   name: default
 spec:
   userGroups:
-  - capsule.clastix.io
   - system:serviceaccounts:default
 ```
 
-because, by default, each service account is a member of following groups:
+since each service account in a namespace is a member of following group:
 
 ```
-system:serviceaccounts
 system:serviceaccounts:{service-account-namespace}
-system:authenticated
 ```
 
+> Please, pay attention when setting a service account acting as tenant owner. Make sure you're not using the group `system:serviceaccounts` or the group `system:serviceaccounts:{capsule-namespace}` as Capsule group, otherwise you'll create a short-circuit in the Capsule controller, being Capsule itself controlled by a serviceaccount. 
+
+
 ## Create namespaces
 Alice, once logged with her credentials, can create a new namespace in her tenant, as simply issuing: