Icinga 2’s authentication is entirely internal and based on the api-users.conf.
Icinga Web 2’s API utilizes all authentication backends (including LDAP) that are available to normal users as well. It also provides a much more broad authorization mechanism, that’s what you’ve shown above in the screenshots. The user with the role shown in your OP can then schedule/remove downtimes and also access the director’s API features (also by use of the Icinga Web 2 API), but the latter is not required for just scheduling/removing downtimes. What the user can do and what not, is possible to inspect using the Audit feature or by just logging in as that user. What’s possible in the UI, is the very same for the Icinga Web 2 API.
Thanks for your answers … I think this is the last open question. I have two api-users.conf. I don’t know whre is defined which one is used. And I don’t see the new configured user in the GUI “Icinga Api users”