Box API: JWT App Access Only - Potential Permissions Bugs

Hello Boxers,

I'm a web dev for the Univ of Arizona and we currently have an API set up like this:

Here's our use case: 

1. A faculty member submits an application (on a Drupal site) for Teaching and Research Grant, listing their Department Head as endorser.
2. Our drupal site uses the API to look up the endorser’s Box User ID using List enterprise users (X)
3. Start a workflow (X) (relay), adding the endorser (using their Box User ID obtained from step 2) as a collaborator and assigning them the approval task
4. The endorser approves or rejects the application

We're testing what the API can do and are finding that the X's in steps 2 and 3 cannot be done with our current API configuration.

Alternatively, we've asked the primary admin's of our organization to give us "App + Enterprise Access", but this would mean the API would have access to all content of all users in the entire organization, which would not be ideal security wise.

So, I wonder if these are potentially bugs that need to be addressed in the Box API. 

For Step 2 List enterprise users:

The reason i think this might be a bug is when I try to Get user on another user in the enterprise, it works and returns their information.

but List enterprise users always returns empty for me: 

But the Get user documentation page has the same permissions requirement verbiage as List enterprise users: 

So if Get user works, but List enterprise users does not, either I am doing something wrong (hopefully this is the case) or there's an issue with the API.

For Step 3 Start workflow

When I try to start a workflow (relay), the error that's returned is: 

The reason I think this could be considered a bug is because through the Box.com user interface, when I am logged in as myself (a managed user), I can start a relay no problem, and this is so regardless of if I was the one who created the relay or not: 

However, when I use the API, it seems to let me only start relays that was created by me. If I try to start a relay created by someone else in the same folder, it will return the 500 internal server error. The catch here is that there's no way for me to create a relay inside the service account, because logging in as the service account can only be done by primary admins of the entire enterprise: https://developer.box.com/guides/getting-started/user-types/service-account/

So if the service account cannot set off a relay that it did not create, then that means it cannot set off any relay at all, because no one in the enterprise has the ability to login as the service account except the primary admins. 

Alternatively, I can request the primary admins to give the service account "App + Enterprise access", but does this mean the service account can set off any relay in the enterprise whatsoever? If so, this could be too big of a risk.

Thanks in advance for any help or insight into this,