From b304b124f64a39d84154dbd392e51385262069e8 Mon Sep 17 00:00:00 2001
From: Lisa Gunn <lisa.gunn@goteleport.com>
Date: Thu, 21 Sep 2023 14:43:49 -0700
Subject: [PATCH] Add role configuration nuance to moderated sessions

---
 docs/pages/access-controls/guides/moderated-sessions.mdx | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/pages/access-controls/guides/moderated-sessions.mdx b/docs/pages/access-controls/guides/moderated-sessions.mdx
index 1c2a621044164..61d5ab8b5aaf0 100644
--- a/docs/pages/access-controls/guides/moderated-sessions.mdx
+++ b/docs/pages/access-controls/guides/moderated-sessions.mdx
@@ -148,6 +148,11 @@ spec:
         modes: ['moderator', 'observer']
 ```
 
+You should note that users who are assigned a role with a `join_sessions` allow policy are
+implicitly allowed to list sessions. In most cases, `deny` statements take precedent.
+However, if the `join_sessions` policy is set in a role, the `join_sessions` policy 
+overrides any explicit deny setting for listing sessions.
+
 #### Joining sessions example
 
 Here is an example of Jeff with role `prod-access` connecting to