Currently there is not documentation on the RESTAPI Security profile.

Need details on this SECURITY profile and the access needed.

ESP Workload Automation 12.0 - z/OS supported releases - 

Some information about the REST API security profile can be found in the Installation and Configuration Guide at the following link: 

Install and Configure the REST API 

The started task user must have at least READ access to the following resources:
BPX.SERVER
safprefix.RESTAPI


For agent-related endpoints, the started task user must also have at least READ access to the following resources:
safprefix.OPER
safprefix.ONLINE
safprefix.AGENTMSG

There is a difference between the End User and the STC user. The End User is checked against usual ESP profiles.

So if the End User is supposed to trigger events, he needs to have appropriate safprfx.GROUP.* or safprfx.GROUPX.* permissions etc.

End Users won't need access to safprefix.RESTAPI If they have the GROUP, GROUPX access, even if they are calling API’s to trigger the events. 

Safprefix.RESTAPI is needed for the STC user only as it is supposed to protect the ESP scoreboard data.