diff --git a/demos/demo2/README.md b/demos/demo2/README.md
index 756ff8b3249cc11f9e763143ff18f5717bbe1b94..08afa06db84fc544dcae2a29395c9d871e35ec43 100644
--- a/demos/demo2/README.md
+++ b/demos/demo2/README.md
@@ -35,8 +35,34 @@ To await specific messages, S3IBAsyncClient's awaitMessage method can be used. T
 
 demo2_forestmanager_waldbesitzer.py updates the security submodel, then notifies demo2_forestmanager.py using the 
 S3IBAsyncClient's sendUserMessage Method:
-`await client.sendUserMessage(forstify_hmi_id, "s3ibs://" + forstify_hmi_id, "Authorized", "Authorized")`
-(foristify_hmi_id here is a naming mistake)
+`await client.sendUserMessage(forestmanager_hmi_id, "s3ibs://" + forestmanager_hmi_id, "Authorized", "Authorized")`
+
+### Security and Authorization
+
+Security-related data can be stored in the security submodel (refer to /model/security.py). It contains AccessControl, a SubmodelElementList of AccessRuleCollection. The latter is a SubmodelElementCollection, that contains a SubmodelElementList of AccessPermissonRule (a SubmodelElementCollection with the user the permission is being granted to, the permission type for example ALLOW, and the permisson for example READ) and the Target (a ReferenceElement that refers to the AAS-Element the rules apply to). 
+
+```
+    rules = [security.AccessPermissionRule(forestmanager_hmi_id, 
+                                           security.PermissionKind.ALLOW, 
+                                           security.Permission.READ),
+            security.AccessPermissionRule(forestmanager_hmi_id, 
+                                          security.PermissionKind.ALLOW, 
+                                          security.Permission.WRITE)]
+
+    rules_smc = security.AccessPermissionCollection(
+        target=model.ModelReference.from_referable(aas_dz_wald),
+        rules=rules
+    )
+
+    access_control = security.AccessControl(permissions=[rules_smc])
+
+    security_sm = security.Security("https://www.company.com/security") 
+    security_sm.add_referable(access_control)
+
+```
+
+Since permission-granting decisions are made by the opa-server (if security enabled), this data must provided (in simpler format) to it and continiously updated (if changes occur). This is handled by the S3IBServer Component utilizing the security.py::get_dict_from_security_submodel method.  
+