Hello,

We would like to build an application that will be run by a service account with Domain Wide Delegation to act as users in our organisation. 
More specifically the SA will use the PAM (Privileged Access Manager) API to grant temporary elevated permissions to users. 
From what I could see, the scope required for this API is : "https://www.googleapis.com/auth/cloud-platform" which is actually a scope used by many GCP APIs. 
Is there a more specific role that could only allow the SA to access the PAM API?

Thanks.