When making query or mutation to GraphQL REST API all access rights are check based on the profile you are using.
The access rights are defined, in this order, at several level :
Each time you make a query or a mutation HOPEX will check that you are allowed to perform this action :
In query, if you are not allowed to view the requested information you will get :
In Mutation, if you are not allowed to create/update/delete the requested object or its fields you will get :
You should ensure that the profile you use when querying the application is properly configure with the CRUD.
For more details read the documentation : https://doc.mega.com/hopex-v4-en/#page/SUP/Administration_avancee.Managing_UI_Access_(Permissions).h...