Resources seem to ignore ACLs for meeting organizers when booked through API

[Henrik Hall]

I have a service account with full admin rights, and I use this client to make an API call to add an event to a user's calendar, with a resource (room) added which this user is not allowed to book.

When using the native Google Calendar, this user will get an error when attempting to book that room (or rather, the room will decline).

But when I make an API call using my service account on behalf of this user, the resource accepts.

I would have thought that even though the event is created in the organizer user's calendar using an admin account, the resource would still respect ACLs for the organizer (especially since this is done asynchronously, I would have thought that resource would not even know HOW the event was created, just who the organizer is?), but it does not look that way. The resource accepts regardless of which organizer I create the event on behalf of.

How can I programmatically add an event for an organizer user where the resource accepts/declines according to the ACLs set up for that resource?