diff --git a/d4s_user_services_perms/README.md b/d4s_user_services_perms/README.md
index 7bf646d2..17649040 100644
--- a/d4s_user_services_perms/README.md
+++ b/d4s_user_services_perms/README.md
@@ -1,3 +1,12 @@
 This role assumes that only one tomcat instance is defined and running on the system.
 
 Important note: the variable 'http_port' needs to be defined earlier in the calling playbook.
+
+What the role does:
+
+- Install the sudoers config that permits the tomcat user to restart
+the service
+- Install the script that allows the tomcat user to start and stop the
+service without using the full path
+- Install the README file that explains where the options files are
+placed and how start/stop the service
diff --git a/d4s_user_services_perms/defaults/main.yml b/d4s_user_services_perms/defaults/main.yml
index aa65e71a..59d4a1b7 100644
--- a/d4s_user_services_perms/defaults/main.yml
+++ b/d4s_user_services_perms/defaults/main.yml
@@ -1,3 +1,7 @@
 ---
 d4science_user: gcube
 d4science_user_home: '/home/{{ d4science_user }}'
+
+d4science_tomcat_options_files:
+  - '/etc/default/tomcat-instance-{{ item.0.http_port }}'
+  - '/etc/default/tomcat-instance-{{ item.0.http_port }}.local'
diff --git a/d4s_user_services_perms/tasks/main.yml b/d4s_user_services_perms/tasks/main.yml
index 687eae1f..58cd4891 100644
--- a/d4s_user_services_perms/tasks/main.yml
+++ b/d4s_user_services_perms/tasks/main.yml
@@ -9,3 +9,25 @@
     - '{{ tomcat_m_instances }}'
     - [ 'startContainer.sh', 'stopContainer.sh' ]
   tags: [ 'tomcat', 'd4science', 'sudo' ]
+
+- name: Install the README file that explains where the options files are placed and how start/stop the service
+  template: src={{ item.1 }}.j2 dest={{ item.0.user_home }}/{{ item.1 }} owner={{ item.0.user }} group={{ item.0.user }} mode=0444
+  with_nested:
+    - '{{ tomcat_m_instances }}'
+    - [ 'README' ]
+  tags: [ 'tomcat', 'd4science', 'd4s_readme' ]
+
+- name: Set the read/write permissions on the tomcat default options files
+  acl: name={{ item.1 }} entity={{ item.0.user }} etype=user permissions=rw state=present
+  with_nested:
+    - '{{ tomcat_m_instances }}'
+    - '{{ d4science_tomcat_options_files }}'
+  tags: [ 'tomcat', 'd4science', 'acl' ]
+
+- name: Set the default read/write permissions on the tomcat default options files
+  acl: name={{ item.1 }} entity={{ item.0.user }} etype=user permissions=rw state=present default=yes
+  with_nested:
+    - '{{ tomcat_m_instances }}'
+    - '{{ d4science_tomcat_options_files }}'
+  tags: [ 'tomcat', 'd4science', 'acl' ]
+
diff --git a/d4s_user_services_perms/templates/README.j2 b/d4s_user_services_perms/templates/README.j2
new file mode 100644
index 00000000..52448f5b
--- /dev/null
+++ b/d4s_user_services_perms/templates/README.j2
@@ -0,0 +1,8 @@
+The java options are set inside /etc/default/tomcat-instance-{{ item.0.http_port }}
+The GHN environment variables are set inside /etc/default/tomcat-instance-{{ item.0.http_port }}.local
+
+The commands that start and stop the containers are:
+/home/gcube/startContainer.sh
+/home/gcube/stopContainer.sh
+
+The log files live inside /home/gcube/tomcat/logs (it's a symbolic link to {{ tomcat_m_instances_logdir_base }}/{{ item.0.http_port }})