What permissions needed for minimal API user?

[nexus2006]

I'm trying to create a new pfsense user with only the minimum permissions needed to accomplish their assigned tasks: updating an Alias address list.

I successfully generate a key for admin user with curl -X POST -u admin:password https://host:port/api/v2/auth/key -d '{"hash_algo":"sha256","length_bytes":24}'
The same command from the same machine using `... -u pfs_api_client:password ...' results in
{"code":403,"status":"forbidden","response_id":"ENDPOINT_CLIENT_NOT_ALLOWED_BY_ACL","message":"The requested action is not allowed by admin policy","data":[]}

The user pfs_api_client can log in to webCfg, generate an API key, and update the Aliases via the GUI. But whether using uname:pwd credential or api key on the (PATCH) /api/v2/firewall/alias endpoint gives same 403: ENDPOINT_CLIENT_NOT_ALLOWED_BY_ACL response. Using same endpoint with admin's api key gives 200: success response.

User pfs_api_client is a member of a group with these permissions:
REST API - /api/v2/auth/key POST
REST API - /api/v2/firewall/alias GET
REST API - /api/v2/firewall/alias PATCH
REST API - /api/v2/firewall/apply GET
REST API - /api/v2/firewall/apply POST
WebCfg - Dashboard (all)
WebCfg - Firewall: Alias: Edit
WebCfg - Firewall: Aliases
WebCfg - System: RESTAPI Key
WebCfg - System: Login / Logout / Dashboard

What other perms are needed for a minimal user for the API?

pfSense v2.8.1
pfRest v2.6.6

[nexus2006]

Apologies for the spam, after trying to solve this for 3 days, I solved it ~5 mins after posting this.
Answer - the System > Rest API > Access List includes a 'users' field. Select individual users if only some pfsense users shall access the API, or select none to allow all pfsense users access. I was only paying attention to the 'network' field.

I would respectfully suggest updating either the users/privileges documentation, the users UI, the Access List edit UI, or the 403 response details to make this more clear.