I’ve just completed the Delegated admin setup turorial and have it working when I set the app_metadata roles manualy. I’ve been trying to set up a rule for it, but I keep getting this error in the logs:
error: name=ForbiddenError, message=Cannot perform action. Missing scope read:users, status=403
I’ve tried to set the API grant read:users in the client application, via the Machine to machine API settings, but that doesn’t seem to work. In the same page there is information that this is not needed for SPA applications.
So my question is, where can I set the read:users grant for the Delegated Admin extension, or the application it created?
I tried to set the grants to Implicit on the auto generated application but with no luck.