You must define admin users and their permissions in the admin group and assign specific roles to it before you can use these admin users to send cloud API requests. You can also define object permissions to specific admin groups or admin users so they can manage specific objects through cloud API requests. For more information, see About Admin Accounts and About Admin Groups.
...
Note: When you deploy Cloud Network Automation, the cloud-api-only is created automatically. You cannot delete this admin group.
Depending on where a cloud API request is sent and whether the scope of delegation for an object is explicit or implicit, permissions configured for the admin user and object may or may not apply. In addition, depending on the objects referenced in cloud API requests, specific restrictions may apply. For supported objects and their restrictions, see Supported Cloud API Objects.
For cloud API requests, admin permissions are applied based on the delegation status of the objects referenced in the requests. If an object is not delegated (owned by the Grid Master) and the cloud API request is sent directly to the Grid Master or proxied to the Grid Master, all applicable admin and object permissions apply. On the other hand, if authority for an object referenced in a cloud API request is explicitly delegated to a Cloud Platform Appliance and the request is sent to this appliance, the admin user has full permission for this object within the scope of delegation. In this case, specific permissions configured for the admin user and the referenced object are ignored. For more information about admin and object permissions, see About Administrative Permissions.
It is important to note that once you delegate authority of an object to the Cloud Platform Appliance, specific admin and object permissions are not enforced. Therefore, if you do not want certain objects to be created or modified through a cloud API request, do not delegate the authority of these objects and their parent objects to a Cloud Platform Appliance. For example, if you do not want host records to be created through cloud API requests, do not delegate the authority of the relevant networks, zones, or both to the Cloud Platform Appliance. On the other hand, if you want the ability to restrict permissions for specific objects referenced in cloud API updates, you can create different admin groups or admin users that are authorized to make cloud API updates on respective Cloud Platform Appliances. The following example illustrates this capability.
...