add explanation

Author: Amrouche Hamza

core/security.md

@@ -22,10 +22,10 @@ use Symfony\Component\Validator\Constraints as Assert;
  *     attributes={"is_granted"="has_role('ROLE_USER')"},
  *     collectionOperations={
  *         "get"={"method"="GET"},
- *         "post"={"method"="POST", "is_granted"="has_role('ROLE_ADMIN')"}
+ *         "post"={"method"="POST", "access_control"="has_role('ROLE_ADMIN')"}
  *     },
  *     itemOperations={
- *         "get"={"method"="GET", "is_granted"="has_role('ROLE_USER') and object.getOwner() == user"}
+ *         "get"={"method"="GET", "access_control"="has_role('ROLE_USER') and object.getOwner() == user"}
  *     }
  * )
  * @ORM\Entity
@@ -51,6 +51,8 @@ class Book
 }
 ```
 
+This exemple is going to allow only fetching the book related to the current user, if he try to fetch a book that is not linked to his account that will not return the resource and only admins are able to create books which means that a user could not create a book.
+
 It is also possible to use the [event system](events.md) for more advanced logic or even [custom actions](operations.md#creating-custom-operations-and-controllers)
 if you really need to.