Restrict account access solely to generating pre-defined Extract files
Summary:
We need to allow an account to generate dimension Extracts from a specific application, but otherwise have read-only access to the system.
The account's only purpose is using REST API jobs to run pre-defined Dimension Extracts, and download the resulting files to an external system. However, it appears that only System Admin accounts can be granted the ability to run Extracts: even after granting all EDM Roles and Participant status on the Application to a User-level account, it still did not have Extract access.
Given the access level of System Admin accounts, the security risk here is HUGE, when all that's needed is a single capability, without any ability to change the environment's configuration or contents.