diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/SamUserDirectives.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/SamUserDirectives.scala
index 5bd6855aa..04ef056ff 100644
--- a/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/SamUserDirectives.scala
+++ b/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/SamUserDirectives.scala
@@ -50,6 +50,11 @@ trait SamUserDirectives {
       }
     }
 
+  // Ideally, we would just make this check from inside the *Service.scala code, but not all Services have access to
+  // cloudExtensions and I don't think we should add cloudExtensions just for checking if a user is an admin.  So this
+  // was added so we can do the "isAdmin calculation" in the routes, just like we've always done it, but then pass this
+  // data into the Services to let them make their own authz determination.  If we can change the way we define admins
+  // from _not_ depending on Google, then we may be able to get rid of this directive.
   def isWorkbenchAdmin(samUser: SamUser): Directive1[Boolean] =
     onSuccess(cloudExtensions.isWorkbenchAdmin(samUser.email))