We’re trying to automate app creation using an API Service application, but we want to automatically add the created applications to resource sets to allow delegates team admins to manage their applications.
Is there any way to do this without granting the API Service app the built-in Super Admin role? I’m getting 403 Forbidden errors when attempting to use a token with the okta.roles.manage role, and I know that traditionally only Super Admins can modify anything related to admin privileges. I think I already know the answer (it does need Super Admin) but I’m hoping for a sanity check.
Aside from closely monitoring the app’s usage and where the okta.roles.manage scope is allowed to be used, any ideas for locking this API Service app down as tightly as possible?