We have 2 issues with Magento 2.1.5 REST API that we can not resolve / understand.
1. Unauthorized API access via the integration that uses OAuth-based authentication: known document at http://devdocs.magento.com/guides/v2.1/rest/anonymous-api-security.html says that /rest/V1/customerGroups API is not available in this case (anonymoys access via OAuth-based authentication). This probably was true with previous versions but after the upgrade to 2.1.5, this (/rest/V1/customerGroups) API occurs to work. Has anonymous API security in 2.1.5 been updated so that it permits /rest/V1/customerGroups calls? other?
2. Token-based authentication: we have configured a dedicated admin user for API access from outside. Whatever role resources we configure for this user (even "All"), at least the following APIs are inaccessible: