> Is what I'm trying to do even correct,
It's incorrect. You don't access the API on behalf of a specific user. Also, this is not authentication API.
There is no granularity level: once you properly get a token, you (your application) get full access to all endpoints that allow to manage different types of resources (not only users).
The [docs](https://www.gluu.org/docs/gluu-server/user-management/scim2/) clearly explain there are 2 modes: test or UMA. How to get a token in test mode is detailed step-by-step. UMA is more involved, but the goal is again, a token.