I'm trying to register a new endpoint type from vRO with the following code:

var restClient = vRAhost.createRestClient("com.vmware.csp.core.endpoint.configuration.api");
restClient.put("/categories/" + categoryId, JSON.stringify(category));

The type of vRAhost is vCACCAFE:VCACHost. When vRAhost tenant is the default vsphere.local with a user having tenant and IaaS admin permissions in the same tenant, the above code runs fine registering the new category.

When I try to run this against a vRAhost registered with another tenant, I get 403 permission denied whatever user I try.

The Endpoint Configuration Service API Specification writes:

User Roles and Permissions

Different user roles have different permissions for working with endpoints.

Endpoint Type Operations and Endpoint Type Categories

The following user roles have permission for the following:

GET - IaaS Administrators, vRA Administrators, Solution Users.

PUT/POST/DELETE - vRA Administrators, Solution Users.

So the user should belong to vRA Administrators group, but I'm not sure what exact group is referred here? Tenant/IaaS/... admin? Or is this allowed for the vsphere.local tenant admin only?