[TT-13760] Extend the documentation regarding the recommended value of security.forbid_admin_view_access_token and security.forbid_admin_reset_access_token parameters.

Author: buraksezer

tyk-docs/content/api-management/user-management.md

@@ -296,6 +296,11 @@ It is important to note that all user roles are defined and enforced **at the Da
 ### Admin users
 An *admin* user has full read/write access to all properties. The initial user created during the bootstrapping of the Dashboard is automatically assigned the *admin* role.
 
+Two configuration parameters restrict the admin user. Both values should be set to `true` for improved security.
+
+* [security.forbid_admin_view_access_token]({{< ref "tyk-dashboard/configuration#securityforbid_admin_view_access_token" >}}) that restricts admin users from being able to view other users' Dashboard API Access Credentials (in the API and UI).
+* [security.forbid_admin_reset_access_token]({{< ref "tyk-dashboard/configuration#securityforbid_admin_reset_access_token" >}}) which prevents admin users from resetting the other users' access tokens.
+
 ### User permissions in the Tyk Dashboard API
 The permissions object, which is provided to the Dashboard API has this structure:
 

tyk-docs/content/shared/dashboard-config.md

@@ -844,12 +844,16 @@ Type: `bool`<br />
 
 ForbidAdminViewAccessToken is a security feature that allows you to prevent the admin user from viewing the access token of a user. The default is false.
 
+Setting `true` to this field is recommended.
+
 ### security.forbid_admin_reset_access_token
 ENV: <b>TYK_DB_SECURITY_FORBIDADMINRESETACCESSTOKEN</b><br />
 Type: `bool`<br />
 
 ForbidAdminResetAccessToken is a security feature that allows you to prevent the admin user from resetting the access token of a user. The default is false.
 
+Setting `true` to this field is recommended. 
+
 ### ui
 This section controls various settings for the look and feel of the Dashboard UI.