diff --git a/migrating_from_ocp_3_to_4/planning-migration-3-4.adoc b/migrating_from_ocp_3_to_4/planning-migration-3-4.adoc
index 4e5c9f4e33..348bfaa648 100644
--- a/migrating_from_ocp_3_to_4/planning-migration-3-4.adoc
+++ b/migrating_from_ocp_3_to_4/planning-migration-3-4.adoc
@@ -201,6 +201,13 @@ For more information, see xref:../authentication/understanding-identity-provider
 
 Newly created OAuth HTTP bearer tokens no longer match the names of their OAuth access token objects. The object names are now a hash of the bearer token and are no longer sensitive. This reduces the risk of leaking sensitive information.
 
+[discrete]
+==== Default security context constraints
+
+The `restricted` security context constraints (SCC) in {product-title} 4 can no longer be accessed by any authenticated user as the `restricted` SCC in {product-title} 3.11. The broad authenticated access is now granted to the `restricted-v2` SCC, which is more restrictive than the old `restricted` SCC. The `restricted` SCC still exists; users that want to use it must be specifically given permissions to do it.
+
+For more information, see xref:../authentication/managing-security-context-constraints.adoc#managing-pod-security-policies[Managing security context constraints].
+
 [id="migration-preparing-monitoring"]
 === Monitoring considerations