diff --git a/controllers/static/zuul/generate-tenant-config.sh b/controllers/static/zuul/generate-tenant-config.sh
index 8f76ff7..fccea6a 100755
--- a/controllers/static/zuul/generate-tenant-config.sh
+++ b/controllers/static/zuul/generate-tenant-config.sh
@@ -10,6 +10,8 @@ cat << EOF > ~/main.yaml
     max-job-timeout: 10800
     name: internal
     report-build-page: true
+    admin-rules:
+      - admin-internal
     exclude-unprotected-branches: true
     source:
       git-server:
diff --git a/doc/deployment/config_repository.md b/doc/deployment/config_repository.md
index a3ee42f..29d5ded 100644
--- a/doc/deployment/config_repository.md
+++ b/doc/deployment/config_repository.md
@@ -232,3 +232,12 @@ Once the resource is ready, the config repository will appear listed in the inte
 ## Next Steps
 
 You may now want to configure [connection secrets for nodepool providers](./nodepool.md) (kubeconfig, clouds.yaml).
+
+## How to be an administrator in Internal Tenant
+
+As said in the [Concept](#concept) section, SF-Operator manages a hidden git repository which defines and sets the
+`internal` tenant.
+
+This tenant has an `admin-rules` definition, setting the `admin-internal` group as the tenant administrator.
+
+To be an `internal` administrator, just set a [`authorization-rule`](https://zuul-ci.org/docs/zuul/latest/tenants.html#authorization-rule) named `admin-internal` in the config project defined at `Set the config repository location`
diff --git a/doc/reference/CHANGELOG.md b/doc/reference/CHANGELOG.md
index 8c13685..7a33794 100644
--- a/doc/reference/CHANGELOG.md
+++ b/doc/reference/CHANGELOG.md
@@ -5,6 +5,9 @@ All notable changes to this project will be documented in this file.
 ## [in development]
 
 ### Added
+
+- zuul - add admin-rule for internal tenant
+
 ### Removed
 ### Changed
 ### Fixed