API Management – Restrict Operation Access per Product

Last week I had an interesting request from a client. They have been creating generic APIs, using a variety of different backend systems (on-prem APIs, Azure Functions, Logic Apps, cloud APIs). Those APIs were grouped by product but even within a product they would like to restrict access to only some operations, so product A would have access to a group of operations, while product B would have access to different group. Initially I thought that role based access driven by claims, but the issue was that we didn’t have control of the identity providers, or the back end services. In the end we would have to find a solution within API Management to create this ACL like style.

Initally I didn’t like the idea to create our own access controls in APIM, but faced with the other constraints, I slowly warmed up to the idea and learned a couple of things about policies along the way.

Continue reading “API Management – Restrict Operation Access per Product”