Currently permission tree is very coarse compared to the number of features Identity Server supports. A single permission allows to do multiple operation in multiple components.
Need to design a permission tree thinking about all the components in IS categorized by features, sub-features and operations.
Once this is done we need to improve the automation tests, such that every admin service call is done by creating a new user with exact permission required to call the particular operation, and not the super admin or tenant admin. This will be a good way to cross check if all the admin service operations have automation tests also.