Internally, all SCIM 2.0 requests are processed using the cn=SCIM2 Servlet,cn=Root DNs,cn=config service account. Whether a requested operation is allowed depends on the ACIs that apply to the operation. The oauthscope bind rule is particularly useful for this, since it allows the administrator to use the supplied OAuth scopes in ACI logic.
Due to implementation details, access to the objectclass operational LDAP attribute is necessary for SCIM requests to properly execute. However, it is not advisable to give the service account access to objectclass on a global level. Instead, add the ACI granting objectclass access to the LDAP subtree you wish to expose to clients. See Configuring permissions for SCIM 2.0 operations for an example of this.