[TT-13760] Change defaults: Default secure for Tyk Dashboard admin view

[buraksezer]

User description

PR for TT-13760

The ticket advises to update the documentation to recommend setting true to security.forbid_admin_view_access_token and security.forbid_admin_reset_access_token fields.

---

PR Type

• Documentation

---

Description

• Update docs with recommended security settings.

• Advise setting security.forbid_admin_view_access_token and security.forbid_admin_reset_access_token to true.

---

Changes walkthrough 📝

Relevant files

Documentation

user-management.md Document admin security parameters in user management        tyk-docs/content/api-management/user-management.md Added explanation for two security parameters. Recommend setting both parameters to true. +5/-0      dashboard-config.md Update dashboard config security recommendations                  tyk-docs/content/shared/dashboard-config.md Appended recommended 'true' setting for security fields. Clarified default configuration for admin security. +4/-0

---

Need help?

Type /help how to ... in the comments thread for any questions about PR-Agent usage.

Check out the documentation for more information.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Clarity Ensure that the new explanation for the security parameters is clear and consistent with overall documentation style. Verify that the reference URL format (using ref shortcode) is appropriate and renders correctly. ### Admin users An *admin* user has full read/write access to all properties. The initial user created during the bootstrapping of the Dashboard is automatically assigned the *admin* role. Two configuration parameters restrict the admin user. Both values should be set to `true` for improved security. * [security.forbid_admin_view_access_token]({{< ref "tyk-dashboard/configuration#securityforbid_admin_view_access_token" >}}) that restricts admin users from being able to view other users' Dashboard API Access Credentials (in the API and UI). * [security.forbid_admin_reset_access_token]({{< ref "tyk-dashboard/configuration#securityforbid_admin_reset_access_token" >}}) which prevents admin users from resetting the other users' access tokens. ### User permissions in the Tyk Dashboard API Consistency Confirm that the new recommendation texts align well with similar security settings descriptions in the docs. Check for uniformity in phrasing and formatting. ForbidAdminViewAccessToken is a security feature that allows you to prevent the admin user from viewing the access token of a user. The default is false. Setting `true` to this field is recommended. ### security.forbid_admin_reset_access_token ENV: <b>TYK_DB_SECURITY_FORBIDADMINRESETACCESSTOKEN</b><br /> Type: `bool`<br /> ForbidAdminResetAccessToken is a security feature that allows you to prevent the admin user from resetting the access token of a user. The default is false. Setting `true` to this field is recommended. ### ui This section controls various settings for the look and feel of the Dashboard UI.

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Enhance documentation clarity Improve clarity and consistency in the bullet list by rephrasing the sentences and ensuring uniform instruction language. tyk-docs/content/api-management/user-management.md [299-303] -Two configuration parameters restrict the admin user. Both values should be set to `true` for improved security. +Both configuration parameters are recommended to be set to `true` for enhanced security: -* [security.forbid_admin_view_access_token]({{< ref "tyk-dashboard/configuration#securityforbid_admin_view_access_token" >}}) that restricts admin users from being able to view other users' Dashboard API Access Credentials (in the API and UI). -* [security.forbid_admin_reset_access_token]({{< ref "tyk-dashboard/configuration#securityforbid_admin_reset_access_token" >}}) which prevents admin users from resetting the other users' access tokens. +* [security.forbid_admin_view_access_token]({{< ref "tyk-dashboard/configuration#securityforbid_admin_view_access_token" >}}) – prevents admin users from viewing other users' Dashboard API Access Credentials. +* [security.forbid_admin_reset_access_token]({{< ref "tyk-dashboard/configuration#securityforbid_admin_reset_access_token" >}}) – stops admin users from resetting other users' access tokens. Suggestion importance[1-10]: 5 __ Why: The suggestion rephrases the bullet list to improve clarity and consistency, which is a beneficial yet minor stylistic improvement.	Low
	Clarify recommendation text Rephrase the recommendation line to clearly articulate the security benefit of setting the field to true. tyk-docs/content/shared/dashboard-config.md [847] -Setting `true` to this field is recommended. +It is recommended to set this field to `true` to enhance security. Suggestion importance[1-10]: 4 __ Why: This suggestion refines the recommendation message to better explain the security benefit, offering a minor but useful enhancement.	Low

[netlify]

✅ PS. Pls add /docs/nightly to the end of url

Name	Link
🔨 Latest commit	b628152
🔍 Latest deploy log	https://app.netlify.com/sites/tyk-docs/deploys/67c80709de8fa50008ce14f0
😎 Deploy Preview	https://deploy-preview-6047--tyk-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.