diff --git a/doc/how-to/how-to-grant-metabase-permissions.md b/doc/how-to/how-to-grant-metabase-permissions.md
index 9bde8702b9..1cce89ccfa 100644
--- a/doc/how-to/how-to-grant-metabase-permissions.md
+++ b/doc/how-to/how-to-grant-metabase-permissions.md
@@ -24,6 +24,8 @@ The password for Staging and Production databases can be found the OSL 1Password
 
 The username and password for Metabase are not controlled via IaC - they are manually entered via the Metabase "Admin" dashboard (`Admin Setting > Databases > "staging" | "production" > Username / Password fields`).
 
+Please note - this is separate to the role used to read/write Metabase internal application data (such as dashboard and queries). This role is setup in IaC [here](https://github.com/theopensystemslab/planx-new/blob/main/infrastructure/application/index.ts#L100). For more information, please see [the Metabase docs](https://www.metabase.com/docs/latest/installation-and-operation/configuring-application-database).
+
 ### Locally & Pizzas
 If you wish to run Metabase locally using the "analytics" Docker profile (`pnpm analytics` from project root), you will need to manually run the above SQL on your local database with a password of your choice. Alternatively, you can use the root DB username/password.
 
diff --git a/infrastructure/application/index.ts b/infrastructure/application/index.ts
index e203d5923b..6149575a7d 100644
--- a/infrastructure/application/index.ts
+++ b/infrastructure/application/index.ts
@@ -97,6 +97,10 @@ export = async () => {
     superuser: false,
   });
   const metabasePgPassword = config.requireSecret("metabasePgPassword");
+
+  // Setup role and database for internal Metabase application data, such as dashboards and queries
+  // This is separate to the postgres/public one used to hold PlanX application data
+  // Docs: https://www.metabase.com/docs/latest/installation-and-operation/configuring-application-database
   const role = new postgres.Role(
     "metabase",
     {