Implicit Permission

When a user is assigned a role (for example, Organization Administrator or Device Enrollment Manager) at an organizational unit, they can sign in to the Apple Business web portal and view users and user groups for that organizational unit. This read access is implicit—it comes automatically with any role assignment except the role of Staff. The user doesn’t need a separate “read users” permission because the ability to view the information is bundled into the role itself.

API accounts work the same way. When an API account is assigned a role, it implicitly gains read access to users and user groups just like a web portal user would. The only difference is scope. The API accounts are assigned at the root organization level, so their implicit read access extends to the entire organization rather than a specific organizational unit.