diff --git a/docs/getting-started/advanced/databases.md b/docs/getting-started/advanced/databases.md
index 4d1532be5..e022b8ec3 100644
--- a/docs/getting-started/advanced/databases.md
+++ b/docs/getting-started/advanced/databases.md
@@ -59,6 +59,8 @@ services:
 !!! danger ""
     Set strong passwords if the database is exposed to an external network. Never expose your database to the public Internet in this way, for example, if it is running on a cloud server.
 
+For increased security do not allow the "photoprism" user to access the database from every host (`'photoprism'@'%'`) but restrict it to the hosts photoprism is accessing the database from (e.g. `'photoprism'@'192.168.1.2'` or `'photoprism'@'192.168.1.%'` for entire subnet).
+
 ## Schema Migrations
 
 An index schema migration is performed automatically every time PhotoPrism is (re)started. The following instructions may be helpful in special cases, such as when a temporary problem has prevented a successful migration:
diff --git a/docs/getting-started/advanced/docker-security.md b/docs/getting-started/advanced/docker-security.md
index dce045fb7..8938bf57e 100644
--- a/docs/getting-started/advanced/docker-security.md
+++ b/docs/getting-started/advanced/docker-security.md
@@ -48,6 +48,9 @@ docker compose stop
 docker compose up -d
 ```
 
+Please keep in mind that the _numeric_ user and group ids are shared between the local docker host and the docker container (user/group _names_ are not). That means the user running inside the container can read and write all files on the host with the same user id as photoprism is running at. The container runtime tries restricts the available paths but as soon as a security vulnerability circumvents this docker imposed restrictions full access to the entire host with this user id is possible. Threfore nover run as root or with a low user id of regular users of the docker host.
+
+
 ## Remove Passwords From the Environment
 
 Passwords specified directly in a  `docker-compose.yml` file or otherwise passed to the container environment may pose a security risk. As an alternative, they can be set in an [options.yml](../config-files/index.md) file located in the _config_ [storage folder](../docker-compose.md#photoprismstorage):
diff --git a/docs/getting-started/advanced/openid-connect.md b/docs/getting-started/advanced/openid-connect.md
index 32fe3476f..5b6f37f39 100644
--- a/docs/getting-started/advanced/openid-connect.md
+++ b/docs/getting-started/advanced/openid-connect.md
@@ -20,7 +20,7 @@
 | PHOTOPRISM_DISABLE_OIDC  | --disable-oidc  |                    | disable single sign-on via OpenID Connect, even if an identity provider has been configured         |
 
 !!! note ""
-    Your PhotoPrism instance and the [OpenID Connect Identity Provider (IdP)](#identity-providers) must be accessible **via HTTPS** and have valid TLS certificates configured for it. Please also make sure that the hostname in the [Redirect URL](#redirect-url) configured on the IdP matches the [Site URL](../../getting-started/config-options.md#site-information) used by PhotoPrism. Single sign-on via OIDC can otherwise not be enabled.
+    Your PhotoPrism instance and the [OpenID Connect Identity Provider (IdP)](#identity-providers) must be accessible **via HTTPS** and have valid TLS certificates configured for it. Please also make sure that the hostname in the [Redirect URL](#redirect-url) configured on the IdP matches the [Site URL](../../getting-started/config-options.md#site-information) config used by PhotoPrism. Single sign-on via OIDC can otherwise not be enabled.
 
 ## Identity Providers
 
diff --git a/docs/getting-started/config-files/index.md b/docs/getting-started/config-files/index.md
index 81a9208e4..e5431a594 100644
--- a/docs/getting-started/config-files/index.md
+++ b/docs/getting-started/config-files/index.md
@@ -5,6 +5,8 @@ convenient to use an `options.yml` file located in your *config path*, for examp
 installed [through an app store](../nas/asustor.md) or with
 the [installation packages we provide](https://dl.photoprism.app/pkg/linux/README.html).
 
+Settings inside the `options.yml` file overwrite values from `defaults.yml` and in turn are overwritten by command flags and environment variables.
+
 You can specify a custom *config path* by adding the `ConfigPath` option to a ↪ [`defaults.yml`](defaults.md) file in
 the `/etc/photoprism` directory (requires root privileges). It is also possible to use the command flag `--config-path`
 or the environment variable `PHOTOPRISM_CONFIG_PATH` for this. By default, it is a subdirectory of the [*storage
diff --git a/docs/getting-started/faq.md b/docs/getting-started/faq.md
index 28a89530b..652b28bcd 100644
--- a/docs/getting-started/faq.md
+++ b/docs/getting-started/faq.md
@@ -483,9 +483,21 @@ it includes all the details including root and rootless modes, user mapping and
 
 ### Any plans to add support for Active Directory, LDAP or other centralized account management options?
 
-There is no single sign-on support yet as we didn't consider it essential for our initial release.
-Our team is currently working on [OpenID Connect](https://github.com/photoprism/photoprism/issues/782),
-which will be available in a future release.
+For Single-SignOn OpenID Connect is available. It is possible to connect to any OIDC compliant provider to centrally manage your user identities. This can be a external service like Google or a locally hosted one like Keycloak or other.
+
+The documentation on how to set it up can be found at [OpenID Connect](../getting-started/advanced/openid-connect.md).
+
+### Login of new user is not possible via OpenID Connect
+1. When OpenID Connect is enabled new users can be automatically created on first login. For that OIDC register must be activated (env var `PHOTOPRISM_OIDC_REGISTER` or `--oidc-register` flag).
+
+2. If a user was registered and deleted afterwards the next login of this user does not re-register this user. The login fails with an generic "invalid credentials" error message presented to the user.
+
+   Looking at the login audit log ([`photoprism audit logins`](./users/cli/#viewing-login-attempts)) an "account disabled" error message can be seen because OIDC accounts not fully deleted but only deleted partially and disabled.
+
+   To restore a previously deleted account, admins can [create a new account](users/cli.md#creating-a-new-account) with the same *username* through the [Admin Web UI](users/index.md#adding-a-new-user) or the [`photoprism users add`](users/cli.md#creating-a-new-account) command.
+
+   See [Deleting Accounts](../getting-started/advanced/openid-connect.md#deleting-accounts) on OpenID Connect setup page
+
 
 ### Your app is really terrible, can I tell you how bad it is?
 
diff --git a/docs/user-guide/users/cli.md b/docs/user-guide/users/cli.md
index 38b9e396f..1c8c8956c 100644
--- a/docs/user-guide/users/cli.md
+++ b/docs/user-guide/users/cli.md
@@ -35,14 +35,16 @@ As an alternative to the [web user interface](index.md), you can [run the follow
 
 | CLI Command                                 | Description                                  |
 |---------------------------------------------|----------------------------------------------|
-| `photoprism users ls [search]`              | Searches existing user accounts              |
-| `photoprism users legacy [search]`          | Searches legacy user accounts                |
+| `photoprism users ls [options] [search]`    | Searches existing user accounts              |
+| `photoprism users legacy [options] [search]`  | Searches legacy user accounts                |
 | `photoprism users add [options] [username]` | Adds a new user account                      |
-| `photoprism users show [username]`          | Displays user account information            |
-| `photoprism users mod [options] [username]` | Modifies an existing user account            |
-| `photoprism users rm [username]`            | Removes a user account                       |
+| `photoprism users show [options] [username]`  | Displays user account information            |
+| `photoprism users mod [options] [username]`   | Modifies an existing user account            |
+| `photoprism users rm [options] [username]`   | Removes a user account                       |
 | `photoprism users reset --yes`              | Removes all accounts and resets the database |
 
+To get a list of all possible options run the commands with `--help` flag.
+
 !!! tldr ""
     Users who experience login problems after upgrading from [development builds](../../getting-started/updates.md#development-preview), or [old releases prior to November 2022](../../known-issues.md#new-user-management), can run the `photoprism users reset --yes` command to [recreate the session](#session-management) and user management database tables so they are compatible with the current version. Note that any [client access tokens](client-credentials.md#access-tokens) and [app passwords](../settings/account.md#apps-and-devices) that users may have created will also be deleted and must be recreated.
 
@@ -129,7 +131,7 @@ You can combine it with these flags to change the output format and the maximum
 | Client IP  | Username | Realm | Status |     Last Login      | Failed At |
 |------------|----------|-------|--------|---------------------|-----------|
 | 172.19.0.1 | user     | api   | OK     | 2023-02-03 07:17:46 |           |
-| 172.19.0.1 | viewer   | api   | OK     | 2023-02-03 07:16:55 |           |
+| 172.19.0.1 | viewer   | api   | error: account disabled     | 2023-01-12 17:30:55   | 2023-02-03 07:16:55 |
 | 172.19.0.1 | admin    | api   | OK     | 2023-02-03 06:55:06 |           |
 
 !!! tldr ""