diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index ffd18b337b1f99fc52a00fb518f88e360cac0f6a..d70de99ba1e81e627d39bec963173bb4f4f27864 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -391,6 +391,18 @@ Parameters
   higher than ``incoming_connection_limit``), even if it would go above the
   specified connection limit.
 
+**maintenance** (boolean, optional, ``False``)
+  Specifies if maintenance mode should be enabled or not. In
+  maintenance mode incoming TCP connections are allowed only from
+  explicitly listed hosts (see ``maintenance_allowed_hosts``
+  parameter). All ports are covered by this rule, with sole exception
+  being the TCP port 22 (SSH). The SSH port is never blocked via
+  maintenance mode.
+
+**maintenance_allowed_hosts** (list, optional,  ``[]``)
+  List of hosts that should be allowed to connect to the server when
+  in maintenance mode.
+
 **ntp_servers** (list, optional, ``[]``)
   List of NTP servers to use for synchronising the time on managed
   machine using NTP. If no time synchronisation should be set-up, set