diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
index 7ada8ae9b70..4aed90bb96b 100644
--- a/src/sysv/systemd/sssd-ifp.service.in
+++ b/src/sysv/systemd/sssd-ifp.service.in
@@ -11,6 +11,9 @@ Type=dbus
 BusName=org.freedesktop.sssd.infopipe
 ExecStartPre=+-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ifp.log
 ExecStart=@libexecdir@/sssd/sssd_ifp ${DEBUG_LOGGER} --socket-activated
+# 'CapabilityBoundingSet' is used to limit privileges set only in case
+# SSSD IFP service is configured to run under 'root' (if service
+# is configured to run under non-privileged user this is a "no-op"):
 CapabilityBoundingSet= @additional_caps@
 Restart=on-failure
 User=@SSSD_USER@
diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
index 92210b0ff91..a8af4eadcff 100644
--- a/src/sysv/systemd/sssd-kcm.service.in
+++ b/src/sysv/systemd/sssd-kcm.service.in
@@ -11,4 +11,7 @@ Also=sssd-kcm.socket
 Environment=DEBUG_LOGGER=--logger=files
 ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
 ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
+# Currently SSSD KCM server ('sssd_kcm') always runs under 'root'
+# ('User=' and 'Group=' defaults to 'root' for system services)
+# 'CapabilityBoundingSet' is used to limit privileges set:
 CapabilityBoundingSet= @additional_caps@ CAP_SETGID CAP_SETUID
diff --git a/src/sysv/systemd/sssd-nss.service.in b/src/sysv/systemd/sssd-nss.service.in
index c671280f2c8..6108959b02e 100644
--- a/src/sysv/systemd/sssd-nss.service.in
+++ b/src/sysv/systemd/sssd-nss.service.in
@@ -13,3 +13,6 @@ Environment=DEBUG_LOGGER=--logger=files
 EnvironmentFile=-@environment_file@
 ExecStart=@libexecdir@/sssd/sssd_nss ${DEBUG_LOGGER} --socket-activated
 Restart=on-failure
+# Currently SSSD NSS service ('sssd_nss') can't be started under 'sssd' user
+# via systemd due to NSS loop when systemd resolves getgrouplist(sssd).
+# Hence 'User=' and 'Group=' aren't set (defaults to root).
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
index a526aa5279b..4d9596a8374 100644
--- a/src/sysv/systemd/sssd.service.in
+++ b/src/sysv/systemd/sssd.service.in
@@ -14,6 +14,9 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
 Type=notify
 NotifyAccess=main
 PIDFile=@pidpath@/sssd.pid
+# Currently main SSSD process ('sssd') always runs under 'root'
+# ('User=' and 'Group=' defaults to 'root' for system services)
+# 'CapabilityBoundingSet' is used to limit privileges set:
 CapabilityBoundingSet= @additional_caps@ CAP_CHOWN CAP_KILL CAP_SETGID CAP_SETUID
 Restart=on-abnormal