The site runs CB 2107. I read the Permissions section of https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/community-hub . Copied the Read Only Analyst role and gave the new custom role Community hub Download Yes. Also gave SMS_Scripts Create Yes. Added that role to an existing Administrative User group. The group has access to the All Systems Collection and the Default Security scope.
Tried to download a console extension. It fails with "Download failed. The item cannot be imported. Review the SmsAdminUI.log and AdminService.log for additional information."
AdminService.log reports the following. I'm unsure what other permissions are needed for this operation.
Processing incoming request for resource [https://<name>/AdminService/v1.0/ConsoleExtensionMetadata/AdminService.UploadExtension], method: [POST], User - [<user>] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [SMSAppName]=[Configuration Manager Administrator console] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [MachineName]=[<name>] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [UserName]=[<user>] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [ObjectLockContext]=[ec1860a7-b523-401c-86da-d2da768fd8f8] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [ApplicationName]=[Microsoft.ConfigurationManagement.exe] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [ApplicationVersion]=[5.2107.1063.1000] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [LocaleID]=[MS\0x409] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [Content-Length]=[33409998] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [Content-Type]=[application/json] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [Authorization]=[**] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [Expect]=[100-continue] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [Host]=[<name>] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Context: [RemoteIpAddress]=[10.10.250.14] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Context: [RemotePort]=[51824] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Context: [ContentType]=[application/json] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Context: [Accept]=[] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Provider authentication level and exception list up to date. Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
User <name> is allowed because it is validated with current authentication level Default. Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
User <name> does not have enough permissions for this operation. Microsoft.ConfigurationManager.AdminService 9/15/2021 1:33:04 PM 25 (0x0019)
Completing request with response code [403] reason [Forbidden] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:33:04 PM 25 (0x0019)