diff --git a/Backends.md b/Backends.md
index 6f4475d..127f633 100644
--- a/Backends.md
+++ b/Backends.md
@@ -139,12 +139,13 @@ The Proxy backend allows SSH connections to be proxied to another server.
 
 ### Permissions
 
-The proxy backend doesn't expose any items to the permissions system. You can allow or deny access to the entire route using a wildcard:
+The proxy backend exposes the target server's address to the permissions system. For example, to allow `group1` to access any local IP except `192.168.1.1`, you can do:
 
 ```hcl
 permissions = {
-  admins = {
-    allow = ["*"]
+  group1 = {
+    allow = ["192.168.*"]
+    deny = ["192.168.1.1"]
   }
 }
 ```