I have a question.
My eventual goal with Okta workflows is to allow the Custom API Action call to Okta for reading admin roles of a group and assigning a target group for an admin role. The admin role is USER_ADMIN and my call to read an admin role of a group is /api/v1/groups/group_id/roles.
I assigned the okta.groups.read, okta.groups.manage, and okta.roles.read Okta API Scopes to the OAuth Workflows app. I also have already re-authorized. My question is, why am I still getting the 403 forbidden error when trying to read a group? Is there any other combination of scopes that follow the concept of least privilege? Do I need to enable the okta.roles.manage in order to read a groups admin role?