API authorisation and users are separate from the admin panel users, there is an explanation… https://strapi.io/blog/why-we-split-the-management-of-the-admin-users-and-end-users
And some more discussion: Strapi Permissions - Admin vs Site Users - How to assign ownership of items?