Mention need for admin role

SECRET-PROTECTION.md

@@ -14,6 +14,8 @@ Ensure managed trust roots are enabled using:
 approov pin -setManagedTrustRoots on 
 ```
 
+> Note that this command requires an [admin role](https://approov.io/docs/latest/approov-usage-documentation/#account-access-roles).
+
 This ensures connections may only use official certificates, and blocks the use of self signed certificates that might be used by a Man-in-the-Middle (MitM) attacker.
 
 ## ADDING API DOMAINS
@@ -32,6 +34,8 @@ It is assumed that you already have some client secrets and/or API keys in your
 approov secstrings -setEnabled
 ```
 
+> Note that this command requires an [admin role](https://approov.io/docs/latest/approov-usage-documentation/#account-access-roles).
+
 The quickstart integration works by allowing you to replace the secret in your app with a placeholder value instead, and then the placeholder value is mapped to the actual secret value on the fly by the interceptor (if the app passes Approov attestation). The shipped app code will only contain the placeholder values.
 
 If your app currently uses `<secret-value>` then replace it in your app with the value `<secret-placeholder>`. Choose a suitable placeholder name to reflect the type of the secret. The placeholder value will be added to requests in the normal way, but you should be using the Approov enabled networking client to perfom the substituion.
@@ -42,6 +46,8 @@ You must inform Approov that it should substitute `<secret-placeholder>` for `<s
 approov secstrings -addKey <secret-placeholder> -predefinedValue <secret-value>
 ```
 
+> Note that this command also requires an [admin role](https://approov.io/docs/latest/approov-usage-documentation/#account-access-roles).
+
 You can add up to 16 different secret values to be substituted in this way.
 
 If the secret value is provided on the header `<secret-header>` then it is necessary to notify the `ApproovService` that the header is subject to substitution. You do this by making the call once, after initialization:
@@ -77,6 +83,8 @@ If you wish to provide more direct feedback then enable the [Rejection Reasons](
 approov policy -setRejectionReasons on
 ```
 
+> Note that this command requires an [admin role](https://approov.io/docs/latest/approov-usage-documentation/#account-access-roles).
+
 You will then be able to use `getRejectionReasons()` on an `ApproovRejectionException` to obtain a comma separated list of [device properties](https://approov.io/docs/latest/approov-usage-documentation/#device-properties) responsible for causing the rejection.
 
 ## FURTHER OPTIONS

SHAPES-EXAMPLE.md

@@ -141,12 +141,16 @@ Next we enable the [Secure Strings](https://approov.io/docs/latest/approov-usage
 approov secstrings -setEnabled
 ```
 
+> Note that this command requires an [admin role](https://approov.io/docs/latest/approov-usage-documentation/#account-access-roles).
+
 You must inform Approov that it should map `shapes_api_key_placeholder` to `yXClypapWNHIifHUWmBIyPFAm` (the actual API key) in requests as follows:
 
 ```
 approov secstrings -addKey shapes_api_key_placeholder -predefinedValue yXClypapWNHIifHUWmBIyPFAm
 ```
 
+> Note that this command also requires an [admin role](https://approov.io/docs/latest/approov-usage-documentation/#account-access-roles).
+
 Next we need to inform Approov that it needs to substitute the placeholder value for the real API key on the `Api-Key` header. Only a single line of code needs to be changed at `io/approov/shapes/ShapesClientInstance.kt:52`:
 
 ![Approov Substitute Header](readme-images/approov-subs-header.png)