We are implementing a single page application (spa) that is used by our admins to configure our system. There are two roles, “super admins” and “normal admins”. The “normal admins” should only be able to create or delete users that have the same role and that have the same custom id as metadata.
We are wondering now whether the spa can directly use the management api to provide the described services or whether we need to implement an api, which the spa uses to interact with the management api. We would prefer to let the spa interact directly with the management api, but we fear that using scopes is not enough. Is it somehow possible to prevent users from calling management api methods based on the sent arguments without implementing a custom api?