document PuppetDB integration limitations (theforeman#691)

_includes/manuals/1.12/3.2.3_installation_scenarios.md

@@ -79,7 +79,8 @@ foreman-installer \
   --puppet-server-storeconfigs-backend=puppetdb
 {% endhighlight %}
 
-Be aware that foreman-installer does not setup the PuppetDB server itself.
+Be aware that foreman-installer does not setup the PuppetDB server itself. All versions of foreman-installer up to
+1.12.x support this integration only with Puppet 3.x packages.
 
 #### Foreman server without the Puppet master
 

_includes/manuals/1.13/1.2_release_notes.md

@@ -48,6 +48,8 @@ Installer modules have been updated, see their respective changelogs for more de
 *A full list of changes in 1.13.0 is available via [Redmine](http://projects.theforeman.org/rb/release/160)*
 
 ### Upgrade warnings
+* The installer support for [configuring Puppet masters to use a PuppetDB](/manuals/{{page.version}}/index.html#puppetdb-integration)
+  server is now limited to setups using Puppet Labs Puppet 4 AIO packages.
 
 ### Deprecations
 * ...

_includes/manuals/1.13/3.2.3_installation_scenarios.md

@@ -79,7 +79,8 @@ foreman-installer \
   --puppet-server-storeconfigs-backend=puppetdb
 {% endhighlight %}
 
-Be aware that foreman-installer does not setup the PuppetDB server itself.
+Be aware that foreman-installer does not setup the PuppetDB server itself. Starting with 1.13 of foreman-installer, only
+setups using Puppet Labs Puppet 4 AIO packages are supported for PuppetDB integration using these parameters.
 
 #### Foreman server without the Puppet master
 

_includes/manuals/1.13/4.1.2_roles_and_permissions.md

@@ -12,6 +12,8 @@ These may be created, deleted and edited on the **Roles** page. Each role will c
 
 There is one built-in system role, 'Default role'. This is a set of permissions that every user will be granted, in addition to any other roles that they have.
 
+Roles can be also associated to Locations or Organizations if these are allowed. Unlike other objects this does not mean that Roles would be only available in a particular scope. Roles are always global for the whole Foreman. The association means that filters of such role are scoped to a particular Organization or Location. Imagine you want to create a role representing Manager of Organization A. You can clone existing Manager role and associate it with Organization A. If you later assign this role to some users, they will be granted manager permissions but only on resources of Organization A. Note that some resource are not scopeable by Organization and Locations. Filters for such resources grants permissions globally.
+
 #### Filters
 
 Filters are defined within the context of a role, clicking on the 'filters and permissions' link. A filter allows an user to choose a **resource** (Hosts, Host groups, etc...) and the **permissions** that should be granted for that resource. After a filter has been created, users given a role containing this filter will have the permissions for the resource specified at the filter.
@@ -33,6 +35,8 @@ Some example queries for the resource Host:
 
 These pools of queries can be combined by adding them together or the filters can be used to restrict the selected resource to a smaller and smaller subset of the total. Think of them as set operations.
 
+As already mentioned, Role can be assigned to Organizations and Locations. In such case, all filters for resources that support such scoping automatically apply the same Organizations and Locations. If you want to combine filters with different Organizations or Locations assignments, you can use 'Override' check box. When checked you can override Organizations and Location for a filter. If you uncheck this field, the filter starts inheriting its role Organizations and Locations after submitting again. If you want to reset all role's filter to start inheriting, you can use 'Disable all filters overriding' button on role's 'Filters' tab. We recommend managing Organizations and Locations association on Role level to keep the setup simple and clear.
+
 Note: If the "Administrator" check box is checked for a user, filtering will not take effect.
 
 #### Permissions