using restAPI to update role of a user but see error 403 "Action not allowed by the server"

I'm following the instructions here to add tenant admin role to a user but I see error 403 "Action not allowed by the server" in the response.

small note: Prior to this, I see error 500 "Cross Site Request Forgery (XSRF) Detected", but I followed the answer in this post and that error no longer appears. 

It seems like I need some sort of permission to do any action related to roles (earlier, I was having trouble getting all the roles as posted here). Please advise on how to bypass this 403 "Action not allowed by the server" error. 

TIA

Edit: Tried to update the group and the result is the same. Some sort of permission is needed. I'm using "bo-integration@dummy.com" user