Hi, we have a native application (no backend service) an application that generally needs to be able to list all users and groups assigned to our application, and also be able to set an app specific attributes on the users. This has to be done on behalf of an "admin" user logged in via oauth2 that can manage other users assigned to the app. We don't want to have a backend service since we don't want user-sensitive information going through our service (we protect it with client side encryption). Because of this, we don't want to use SCIM either.

Is there a way to give minimal access to our application for managing only users and groups that are assigned to our application in this way?

What I've currently found and is working is that I need to grant the following scopes to our application:

* okta.apps.read - to read users/groups assignments (we only care about our app, but this gives us access to all apps)

* okta.users.manage - to store custom attributes in the user profile, again we only about users assigned to us and the specific attributes that we create and manage

* okta.users.read, okta.groups.read - again to read users/groups, while we only care about those assigned to our app

* okta.schemas.manage - it seems like we might need this to add custom attributes to user schemas dynamically

Is there something I am missing that would give us more fine-grained access control, so our application can have minimal access?