I'm attempting to view/modify roleassignments via the REST API ( e.g. https://host/_api/web/lists/getByTitle('Documents')/roleassignments) and getting back 403 Forbidden response.
The user I'm authorized against is the primary administrator for the Sharepoint online installation.
The scope requested during the OAuth handshake was AllSites.Manage - my suspicion is that the requested scopes were insufficient but I'm not entirely sure which scope would be required here.