Professor
ProfessorI don't know about best practices but I would likely stick with using lmaccess properties myself. As an MSP, most of our collectors are hosted within the customer's environment that we don't fully own. The LM API would be called from these customer collectors in this situation, so in the past I've created per-customer API keys that only has access to their items. This would prevent (even if unlikely) the customer being able to extract/observe an API key that can access other customers.
What I've also done, although that might be to limited here, is create kinda "virtual" devices in LM that is placed in the customer's groups but is assigned to a collector we host. Basically like your Portal Resources but one per customer. But sounds like you need something more broad than that.
I don't think the snippets and such that LM provides will have LM API access but don't know for sure. I hope not since that might mean customer collectors have more access then they should.
