diff --git a/changelog.d/4-docs/wpb-6780-patch-hole-in-scim-docs b/changelog.d/4-docs/wpb-6780-patch-hole-in-scim-docs
new file mode 100644
index 00000000000..360c264655d
--- /dev/null
+++ b/changelog.d/4-docs/wpb-6780-patch-hole-in-scim-docs
@@ -0,0 +1 @@
+Patch hole in scim docs regarding wire team role manipulation.
\ No newline at end of file
diff --git a/docs/src/understand/single-sign-on/trouble-shooting.md b/docs/src/understand/single-sign-on/trouble-shooting.md
index 776446be79f..59337fec96c 100644
--- a/docs/src/understand/single-sign-on/trouble-shooting.md
+++ b/docs/src/understand/single-sign-on/trouble-shooting.md
@@ -313,7 +313,16 @@ in your wire team:
       mapped on wire's email address, and provisioning works like in
       the team management app with invitation emails.
 
-This means that if you use email/password authentication, you **must**
+5. SCIM's `roles` is mapped to team role.  Only lists of length 0 or 1
+   are allowed.  Valid values are:
+
+   - `[member]` (same as `[]`, `null`, or missing field)
+   - `[admin]`
+   - `[owner]`
+   - `[partner]`
+
+The mapping of `externalId` implies that if you use email/password
+authentication, you **must**
 map an email address to `externalId` on your side.  With `userName`
 and `displayName`, you are more flexible.