I had the same problem last day - the solution is easy but the documentation is not quite correct at the moment, when the example is just followed.
In version 7.2 CUBA introduced a concept of security scopes .
From the CUBA documentation:
The REST API add-on defines its own
REST scope, so if you add it to the project, you should configure a separate set of roles for users logging in to the system through the REST API. If you don’t do it, the users will not be able to login via REST because they won’t have any permissions including the
cuba.restApi.enabled specific permission.
So you have to create new role, say My REST role , in role editor select the REST value in Security scope lookup field. Then enable the
cuba.restApi.enabled specific permission. After that add all permissions that are required (entities, attributes, etc.)