Adam, there is no more policy for that endpoint - see bug 1641645. Currently in V3 the password change does not require a token (AFAIU was done to deal with expiring passwords so that admins won't be nagged by password reset requests), thus RBAC protection is not applied.
Adam, there is no more policy for that endpoint - see bug 1641645. Currently in V3 the password change does not require a token (AFAIU was done to deal with expiring passwords so that admins won't be nagged by password reset requests), thus RBAC protection is not applied.