There is the option to use security policies to give users direct view or edit access on some specific schema's.
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:alerting.maintenance-window";
But how can I create an API token with only that permission? The API-token scopes are not fine grained I presume.
At the moment, tokens use their own scopes so you can't use policies on them, that's correct. I could see the benefit of being able to provide policies for API tokens as well.
The only workaround today is personal access tokens which inherit the permissions of the user that created the token, so this means also the policies attached to the customer.