Service account permission level?

I would like to create a service account that can dynamically provision and de-provision applications. I think the correct permissions achieve this are read/write capabilities to the apps and trusted-origins API:

However, in the permissions matrix here it isn’t apparent what role is appropriate to minimally provide just those permissions and nothing else.

Can someone provide some guidance as to the best service user setup to achieve this?


I might be wrong, but Trusted Origins is the one for Org Admin to change