App token role assignment: How does it work?

Product: PowerShell Universal
Version: 5.5.3

I have a schedule that invokes ScriptA which uses Invoke-PSUScript to invoke BScript. If I create an app token with the Administrator role and use it with the Invoke-PSUScript command in ScriptA, ScriptA and its related schedule execute with no errors. If I create a custom role like app-invoke-script, create an app token with that role, add that role to BScript, and use the app token in ScriptA to invoke BScript, ScriptA throws the following error when it gets to Invoke-PSUScript:

Cannot retrieve the dynamic parameters for the cmdlet. Permission denied. The role specified does not have access to this resource.
at <ScriptBlock>, C:\ProgramData\UniversalAutomation\Repository\scripts\ScriptA.ps1: line 58
at <ScriptBlock>, <No file>: line 1

Am I doing it wrong? Maybe my role isn’t defined correctly? I created it like this:

New-PSURole -Name 'app-invoke-script' -Policy { $true }

I think I was over-thinking this. I just created an app token with the Execute role, and use that in code that executes scripts

FYI for anyone else trying to do this, I contacted support and Adam replied with:

The Role for New-PSUScript is actually used for defining which users will see the script in the portal and doesn’t actually apply to the API. That said, you can apply permissions to the role to provide access to the script. This is what the permission definition would look like for the role.

$appInvokeScript = @{
    Name        = 'app-invoke-script'
    Description = 'Internal app role used by ScriptA to invoke Bscript.'
}
New-PSURole @appInvokeScript -Policy { $true } -Permissions @('automation.scripts.scripts\BScript.ps1/execute', 'automation.scripts/read')

After doing this, you should create a new app token for the schedule, and you’ll be able to run the script.