I have created a token for a user (User A) to make API calls and can successfully make API calls to retrieve information about User A as expected.
If I assign User A to the built-in Account admin role I can then make API calls with the same token to retrieve information about other users (without doing this, when trying to access other user information I receive a "user not authorised to perform that action" error message - again as to be expected). However I don't necessarily want User A to have the full (built-in) Account admin permissions.
I have tried creating a new role (Role A) and assigned User A to that role (instead of Account admin) with the hope of limiting what that user can access in terms of API calls, but none of the permissions seem to relate to the API access. To be certain I even assigned the exact same permissions of the 'Account admin' role to the newly created Role A and couldn't make API calls to retrieve information about other users.
I suspect there something special about the built-in 'Account admin' role that means it is the only role that can successfully make API calls to access information about other users/anything at account level, but I wanted to find out if this is definitely the case or whether I'm missing some setting/permission somewhere?
Ideally I'd like to have Role A only be allowed access to specific API calls (user profile and user courses for example and nothing else).
Thanks in advance