Azure DevOps provider PAT

When trying to use the azuredevops by Microsoft provider the main documentation says you need a PAT with full “owner” privileges of the org. But if I want to create/manage just variable groups using the azuredevops_variable_group it lists only specific permissions needed for this resource. Is it possible to have a limited scoped PAT other than owner to use this provider and mange this resource? The docs seem to contradict themselves. Thanks