Just FYI, you’re likely going to get pushback from SailPoint calling it broken. The response would likely be that it’s “working as designed”
The requirements are that you have to use a PAT from a user with ORG_ADMIN rights, but I agree with you. I’ve mentioned it in multiple places that there needs to be more availability for application based API creds, because the current landscape requires we grant ORG_ADMIN to identities that only perform a single task.
I’ve run into an issue in this topic where I can’t update an account because the account is linked to the identity that’s being updated. This identity performs only create/update of accounts in a single delimited source, yet I have to assign it ORG_ADMIN
I’ve mentioned in another topic why permissions for application api keys need to be expanded
I’ve also mentioned how much of a pain it is to generate a PAT for a non human account