Polish the documentation

docs/source/reference/authenticators.md

@@ -313,7 +313,7 @@ and roles cannot be specified with `load_groups` traitlet.
 :::
 
 Some identity providers may have their own concept of role membership that you would like to preserve in JupyterHub.
-This is now possible with `Authenticator.manage_roles`.
+This is now possible with {attr}`.Authenticator.manage_roles`.
 
 You can set the config:
 
@@ -335,13 +335,18 @@ which is a list of roles that user should be assigned to:
 - Attributes of the roles (`description`, `scopes`, `groups`, `users`, and `services`) will be updated if given
 - If `None` is returned, no changes are made to the user's roles
 
-If authenticator-managed groups are enabled,
+If authenticator-managed roles are enabled,
-all group-management via the API is disabled,
+all role-management via the API is disabled,
 and roles cannot be assigned to groups nor users via `load_roles` traitlet
 (roles can still be created via `load_roles` or assigned to services).
 
 When an authenticator manages roles, the initial roles and role assignments
-can be loaded from role specifications returned by the `Authenticator.load_managed_roles()` method.
+can be loaded from role specifications returned by the {meth}`.Authenticator.load_managed_roles()` method.
+
+The authenticator-manged roles and role assignment will be deleted after restart if:
+
+- {attr}`.Authenticator.reset_managed_roles_on_startup` is set to `True` (default), and
+- the roles and role assignments are not included in the initial set of roles returned by the {meth}`.Authenticator.load_managed_roles()` method.
 
 ## pre_spawn_start and post_spawn_stop hooks