Document permissions needed by the plugin

Bug: Issue 14342
Change-Id: I4ee7e363d1ea67951c6c0ed67908ef621e7be0da
diff --git a/src/main/resources/Documentation/ b/src/main/resources/Documentation/
index 4d2d541..3ddbe8c 100644
--- a/src/main/resources/Documentation/
+++ b/src/main/resources/Documentation/
@@ -22,3 +22,18 @@
 be created as tags, containing information about the original ref that
 was changed, as well as the user that performed the change.  This can
 be enabled by setting `plugin.ref-protection.createTag true`.
+Since the `refs/backups/*` branch is created in the same User scope as the
+delete, `Create Reference` and `Push` permission need to be granted to any user
+that is allowed to delete or force-push a ref or backups will fail.
+This is most conveniently achieved by granting the permission to `Registered
+Users` (all logged in users).
+Furthermore, to avoid the backup refs to be exposed to the users, a block on the
+`Read` permission on `refs/backups/*` is necessary.
+This will avoid a possible security issue in the following case:
+* user A has exclusive access to `refs/super-secret-branch`
+* user A create a change in `refs/super-secret-branch`
+* user A deletes `refs/super-secret-branch`
+* `ref-protection` creates a backup in `refs/backups`
+* user B can access `super-secret-branch` backup