What permissions are needed when defining a Subscription.
Data Context
The token being used to make the request will determine the granularity of the data that will be broadcast on the Subscription. A partner for example will be able to see data across many Merchants, whereas a Merchant will only be able to view their own record, and sub-Customer/business-process records.
As a result, to be able to subscribe to a webhook, the token being used must have read access to that data. So, you could not for example, create a Customer Subscription with a token that does not have customer:read on it.
Scopes
To ensure that a requestor cannot use webhooks to view data they do not have access to, when making a request to create a webhook you must have the appropriate read access on the token at the same time. For example, when creating a Subscription to Business Processes you must have both [Subscriptions](webhook-subscriptions):create and business_processes:read on the token.