Which IDN User Level Matrix roles are required to invoke particular APIS, while ensuring least privilege?

Have a service account identity for the purposes of managing records on a NELM source. It’s been granted SOURCE_SUBADMIN which allows for those records to be created/modified/retrieved with no issues. However, there is no context on the owning identity for those NELM records that are correlated to one. In that instance, we’re looking at the Accounts List API call with a filter of name eq "namehere" which successfully can retrieve the NELM account, along with the identityId attr we’re after. That does not seem to function when using PAT tokens that only have SOURCE_SUBADMIN access at the owning identity level. Which user access role should we grant to this identity to ensure that it can access account/identity information, while avoiding being overly permissive with it - namely restricting it to only managing NELM records and viewing identities linked to that authoritative source.

The Helpdesk admin user level seems to be the least permissive role that will give me this functionality.

Error received when attempting to access the accounts endpoint is a 403.

    "detailCode": "403 Forbidden",
    "trackingId": "*************",
    "messages": [
            "locale": "en-US",
            "localeOrigin": "DEFAULT",
            "text": "The server understood the request but refuses to authorize it."
    "causes": []

Hi Richard,

Please refer to the user level matrix to figure out which permissions to give your service account. If you are still having authorization issues, then we can investigate deeper to see if it’s a bug or documentation gap.