I have a set of custom objects in a managed package that I need to be able to update records on via the Metadata API in my customer's orgs (yeah, I know this is not a good way of doing it, but I'm working with a legacy system that I don't have the luxury of re-implementing). According to the Metadata API Developer’s Guide (page 4), the user account that accesses the Metadata API must have "API Enabled" and "Modify All Data" permissions. Are these truly the minimum requirements, or is it possible to use an account with a restricted set of permissions (CRUD on the managed package custom objects only) to push the data?
[SalesForce] What are the minimum permissions required to update an object record via the Metadata API
Related Solutions
The feature that allows restrictring API access from managed packages (known as package access control, or PAC) has been deprecated and is no longer available for new packages. Existing packages that have it enabled can disable it in the subscriber org via the same method as the old answer. If you need to disable this as a package publisher you'll need to reach out to Salesforce support and reference bug W-4164180. Support should be able to turn on the PAC UI in your publishing org temporarily while you disable it.
You should not enable this (and generally, can't) for new pacakges that are not already grandfathered in.
(The source of this new information was talking directly to the packaging dev and PM team, so I'm afraid I don't have good public links to share)
Old, outdated answer follows for historical interest:
Under the Setup > Create > Packages > (your package) menu there is an "API Access" field: 
. Selecting the "Enable Restrictions" link brings you to another page where you can specify exactly what level of CRUD access your application needs for various objects:
.
Note that once API access is enabled some system objects, like tags, are inaccessible to your application. If you make heavy use of system SObjects this may not be something you can enable.
I was getting this error when trying Task.Customfield but I was able to fix it by using Activity.CustomField. Hope this helps!
Best Answer
Yes, these permissions are required. Even if you set up a user with delegated administration, they will not be able to log in and use the API without actually having that permission, even though they can customize those objects through the UI. If you don't have the permission, you'll get the following error: