elastic · ymao1 · Mar 8, 2021 · Feb 25, 2021 · Mar 8, 2021 · Mar 8, 2021
diff --git a/docs/user/alerting/alerting-getting-started.asciidoc b/docs/user/alerting/alerting-getting-started.asciidoc
@@ -212,4 +212,21 @@ If an alert requires certain privileges to run such as index privileges, keep in
 
 For security reasons you may wish to limit the extent to which {kib} can connect to external services. <<action-settings>> allows you to disable certain <<action-types>> and allowlist the hostnames that {kib} can connect with. 
 
---
+[float]
+[[alerting-limitations]]
+=== Limitations
+
+Users who create alerts will need the `manage_api_key` cluster privilege.
+
+[IMPORTANT]
+==============================================
+Note that the `manage_own_api_key` cluster privilege is not enough - it can be used to create API keys, but cannot be used invalidate them. Alerting must be able to both create and invalidate API keys. 
+==============================================
+
+When an alert is created by a user with the `manage_own_api_key` but not the `manage_api_key` cluster privilege, you will see the following error message in the {kib} logs:
+
+```bash
+[error][alerting][plugins] Failed to invalidate API Key: [security_exception] action [cluster:admin/xpack/security/api_key/invalidate] is unauthorized for user [user-name-here]
+```
+
+--
diff --git a/x-pack/plugins/alerting/README.md b/x-pack/plugins/alerting/README.md
@@ -14,7 +14,6 @@ Table of Contents
 	- [Terminology](#terminology)
 	- [Usage](#usage)
 	- [Alerts API keys](#alerts-api-keys)
-	- [Limitations](#limitations)
 	- [Plugin status](#plugin-status)
 	- [Alert types](#alert-types)
 		- [Methods](#methods)
@@ -67,20 +66,6 @@ For security plugin invalidation, we schedule a task to check if the`api_key_pen
 To change the schedule for the invalidation task, use the kibana.yml configuration option `xpack.alerting.invalidateApiKeysTask.interval`.
 To change the default delay for the API key invalidation, use the kibana.yml configuration option `xpack.alerting.invalidateApiKeysTask.removalDelay`.
 
-## Limitations
-
-When security is enabled, an SSL connection to Elasticsearch is required in order to use alerting.
-
-When security is enabled, users who create alerts will need the `manage_api_key` cluster privilege. There is currently work in progress to remove this requirement.
-
-Note that the `manage_own_api_key` cluster privilege is not enough - it can be used to create API keys, but not invalidate them, and the alerting plugin currently both creates and invalidates APIs keys as part of it's processing.  When using only the `manage_own_api_key` privilege, you will see the following message logged in the server when the alerting plugin attempts to invalidate an API key:
-
-```
-[error][alerting][plugins] Failed to invalidate API Key: [security_exception] \
-    action [cluster:admin/xpack/security/api_key/invalidate] \
-    is unauthorized for user [user-name-here]
-```
-
 ## Plugin status
 
 The plugin status of an alert is customized by including information about checking failures for the framework decryption: