Anyone think of a valid reason why a script/integration would need access to Enable Features? It's a RESTlet if that makes a difference. Would that permission be needed for a RESTlet? I'm not all that familiar with them. The role that controls this integration is labeled as Web Services Only, so they can't login or anything, but I still don't have a high comfort level granting an integration that access. Still waiting on feedback from the vendor as to what exactly that's used for.

I have seen vendors add that as a way to check that the appropriate features are enabled, and they only need view access

It's full or nothing. Even though the handy perms spreadsheet says there should be a View option.

Lovely! I do recall NS going through recently and gutting some levels that didn't do anything, but that's really one that should have a none/view/full