diff --git a/config.py b/config.py
index ee6ed8d6518887c6289551d29d6f2adad3b15e8e..edfdb43c951d548781bcc36e68c430caefd17d6d 100644
--- a/config.py
+++ b/config.py
@@ -19,10 +19,6 @@ CORTEX_API_KEY_FILE = os.path.join(SOCTOOLS_BASE, "secrets/tokens/cortex_secret_
 MGMT_USER_NAME = "soctools-user-mgmt"
 MGMT_USER_CERT_PATH = os.path.join(SOCTOOLS_BASE, "secrets/CA/issued/soctools-user-mgmt.crt")
 MGMT_USER_KEY_PATH = os.path.join(SOCTOOLS_BASE, "secrets/CA/private/soctools-user-mgmt.key")
-# TODO FIXME "SOC_Admin" used instead for initial testing
-# MGMT_USER_NAME = "SOC_Admin"
-# MGMT_USER_CERT_PATH = os.path.join(SOCTOOLS_BASE, "secrets/certificates/SOC_Admin.crt.pem")
-# MGMT_USER_KEY_PATH = os.path.join(SOCTOOLS_BASE, "secrets/certificates/SOC_Admin.key.pem")
 
 # Following parameters are set up dynamically by load_config() in main.py
 SOCTOOLSPROXY = None
diff --git a/main.py b/main.py
index dea769b96148cabdcccb2667da8c65a815c6af52..fe7709984baf37123878d6eadef7904ca4dd6db6 100644
--- a/main.py
+++ b/main.py
@@ -20,7 +20,7 @@ from thehive import *
 from cortex import *
 
 app = Flask(__name__)
-app.secret_key = "ASDF1234 - CHANGE ME!"
+app.secret_key = "ASDF1234 - CHANGE ME!" # TODO: set dynamically to something random
 
 
 @app.before_first_request
@@ -638,11 +638,9 @@ def _send_token(username: str, email: str) -> Tuple[bool, Optional[str]]:
 
 
 # TODO:
-#   (re)send cert-access token for existing user - DONE (on click in table)
-#   automatically create certificate when creating new user (optionally automatically send email with token) - DONE
-#   revoke and delete certificate when user is deleted
-#   make CN=username (so cert filename also matches the username (it's stored by CN)) - DONE
-
+#  - revoke and delete certificate when user is deleted
+#  - send tokens via email
+#  - authentication/authorization to this GUI
 
 # @app.route("/test_cert/<func>")
 # def test_cert_endpoint(func):
@@ -650,15 +648,6 @@ def _send_token(username: str, email: str) -> Tuple[bool, Optional[str]]:
 #     result = str(getattr(certificates, func)(**request.args))
 #     return make_response(result)
 
-
-# TODO other services (besides Keycloak)
-#  - NiFi - DONE
-#  - MISP - DONE
-#  - Kibana? - account doesn't need to be added, but it needs to add privileges
-#  - TheHive + Cortex
-
-# TODO authentication/authorization to this GUI
-
 # When the script is run directly, run the application on a local development server.
 # Optionally pass two parameters, 'host' (IP to listen on) and 'port',
 # e.g.: ./main.py 0.0.0.0 8080
diff --git a/templates/main.html b/templates/main.html
index 32acabd09d51f8ecb57402f6c2706b2032e4c875..85b3e95c5d7f695407508ad791406d5d4dbe1cd2 100644
--- a/templates/main.html
+++ b/templates/main.html
@@ -107,4 +107,8 @@ document.getElementById('show-internal').addEventListener('change', function(eve
 {% endfor %}
 </table>
 
+<h3>OpenSearch Dashboards</h3>
+
+OpenSearch Dashboards does not keep a list of users, it is currently configured to allow (full) access to any user authenticated by Keycloak (i.e. those listed in the first table).
+
 {% endblock %}
\ No newline at end of file