Discussions

Is there any documentation on the permissions applied on the REST API endpoints? Specifically, we've identified a scenario where a user who has authenticated with a refresh_token is able to edit any other record's data via PUT/POST on the Party endpoint, but they don't seem to be able to make GET requests to the User endpoint for any record by their own, or one they could normally access via On Behalf Of. If we could get some clarification on when a given user's iMIS permissions are applied to their behaviors on the REST API side, that would be very useful.

Thanks!