Where are API Functional Scopes Documented

I’m using the API to update a ZIA firewall rule’s list of IP. When I run as a limited access account, I get this message:

{“code”:“RBA_LIMITED”,“message”:“Functional scope restriction requires [FIREWALL, EDGE_CONNECTOR_TRAFFIC_FORWARDING_DNS, SSL_POLICY]”}
The remote server returned an error: (403) Forbidden.

Where are these Functional Scopes documented (so that I can match them to permissions in the UI role editor)? I can’t find a UI option that seems to match EDGE_CONNECTOR_TRAFFIC_FORWARDING_DNS