docs: BugHerd Tasks 88, 89, 90, 91 (#25567)

Co-authored-by: Sam Firke <sfirke@users.noreply.github.com>

docs/docs/security/security.mdx

@@ -1,11 +1,9 @@
 ---
-title: Role based Access
+title: Security
 hide_title: true
 sidebar_position: 1
 ---
 
-### Roles
-
 Security in Superset is handled by Flask AppBuilder (FAB), an application development framework
 built on top of Flask. FAB provides authentication, user management, permissions and roles.
 Please read its [Security documentation](https://flask-appbuilder.readthedocs.io/en/latest/security.html).
@@ -67,10 +65,20 @@ tables in the **Permissions** dropdown. To select the data sources you want to a
 You can then confirm with users assigned to the **Gamma** role that they see the
 objects (dashboards and slices) associated with the tables you just extended them.
 
+### REST API for user & role management
+
+Flask-AppBuilder supports a REST API for user CRUD, but this feature is in beta and is not enabled by default in Superset.  To enable this feature, set the following in your Superset configuration:
+
+```python
+FAB_ADD_SECURITY_API = True
+```
+
+Once configured, the documentation for additional "Security" endpoints will be visible in Swagger for you to explore.
+
 ### Customizing Permissions
 
 The permissions exposed by FAB are very granular and allow for a great level of
-customization. FAB creates many permissions automagically for each model that is
+customization. FAB creates many permissions automatically for each model that is
 created (can_add, can_delete, can_show, can_edit, …) as well as for each view.
 On top of that, Superset can expose more granular permissions like **all_datasource_access**.