diff --git a/core/security.md b/core/security.md
index c1d4aaf0d5e..c22e15a7f2a 100644
--- a/core/security.md
+++ b/core/security.md
@@ -118,7 +118,7 @@ Available variables are:
 
 * `user`: the current logged in object, if any
 * `object`: the current resource, or collection of resources for collection operations
-* `request`: the current request
+* `request` (only at the resource level): the current request
 
 Access control checks in the `security` attribute are always executed before the [denormalization step](serialization.md).
 It means than for `PUT` or `PATCH` requests, `object` doesn't contain the value submitted by the user, but values currently stored in [the persistence layer](data-persisters.md).