When a user tries to perform some action via OAuth or bot passwords and has the required right, but the OAuth consumer / bot does not have the corresponding grant, they get the standard "You do not have the permissions needed to carry out this action" message. This is confusing, especially when the error is about some non-obvious right.
Not easy to fix since the whole permission system is based in getting the list of rights the user has, and rights without a grant get filtered out early on. The permission manager could probably store a list of such "deactivated" rights, though.
Vaguely related to T180888: All permission checks should be able to return a custom error message.