I have two different problems with permisssions.
I'd like to search users with email addresses with my Api-User but the function core_user_get_users_by_field only returns users with "Email display"-setting set to "Allow everyone to see my email address". I've given Api-User the permissions moodle/user:viewdetails, moodle/user:viewhiddendetails, moodle/user:viewalldetails but it doesn't seem to be enough.
What permissions do I need to search the full user database with an email?
My other problem is with enrolling users to courses. The enrol_manual_enrol_users function returns error "You don't have the permission to assign this role (5) to this user (13) in this course(6)." Role 5 is "Student", user 13 is a fresh user created by Api-User and course 6 is pre-existing course.
What permissions do I need to enrol anyone to any course with role Teacher, Non-editing teacher or Student?
Seems like I finally got the permissions right!
To search all users by email I enabled these permissions for my Api-User:
To enrol users to course I enabled the permission moodle/role:assign and set the role-specific assignments through /admin/roles/allow.php?mode=assign
The permission jungle is pretty overwhelming at first sight. Feel free to comment if you have any tips for permission management.