I know that you can only see and manage the keys that you generate within the Identity Services, so they must be associated to the user. But do they also inherit the Canvas User's status, roles, and permissions? Or, once generated, are they independent credentials with their own expiration and all with the same (full) access?

Early on, perhaps in one of the blog posts, I believe it was mentioned that a User needs particular Canvas permissions to access the Identity Services and generate keys. But otherwise the documentation seems to gloss over the management of these keys. It's not clear if data may be filtered or restricted (intentionally or otherwise), or if it may be more appropriate to use "service accounts" to generate and manage them rather than individual admins.