The issue lies in List Users API implementation where the code does not correctly establish identity and capability for the calling user before fulfilling the request ...