One of our backend automation tools uses the Data Management API to access files in ACC projects. Since it is a backend process, fully unattended, we are using the client-credentials grant type (aka 2-Legged authentication method). This is great, however it does not seem to be possible to restrict the access of the "ACC system" user to only specific projects.
I assume that in order to control permissions, a "service user" must be introduced and granted the specific permissions. Does it mean that 3-Legged authentication shall be used? How to achieve then a fully automated unattended process?
I believe you are trying to find a way that Account Admin can provide granular access to the integrated App, which means the App can be only have limited access to some projects, right? Unfortunately, this is not supported currently, but we do understand the request and it's already logged as a wish from https://fieldofviewblog.wordpress.com/2019/06/15/bim-360-acc-api-known-issues-and-wishes/ as follow:
BIMAPI-96: “As an owner of BIM 360 account, we need a way to provide more consistent, granular controls when giving access to 3rd party apps”
For now, as you said, the workaround to make limited access to some projects may go with 3 Legged Access, but you need to log in at least once, once logged, you can use the refresh token to automate refresh the access token without user login again, but the new refresh token will expire in 15 days.
I understand this is not an ideal solution, and as you said, some endpoint may only support 2legged token, and at least one time login is required, that's the limitation.
Hope it answers your question.