Hello, I am developing an app that fetches a list of application OAuth 2.0 grants using the “/apps/{id}/grants” endpoint. I am always getting the error 403 (Forbidden) from the API, even though I assigned this app the “okta.appGrants.read” grant, the built-in “Read-only Administrator” role, and a custom role assigned the “View roles, resources, and admin assignments” permission over a resource set containing “All Identity and Access Management resources”.
Not even the built-in App Admin role seems to be sufficient. The issue only disappears if I assign the app the Super Admin role, but this is IMO an overkill for read-only operations and violates the principle of least privilege.
Is there please a viable way of delegating the permission to read application grants, without assigning the app the Super Admin role? I would expect the built-in “Read-only Administrator” role to be assigned the “okta.appGrants.read” permission. Or is this a gap/bug in the current RBAC model?