Azure API Management Gateway - RBAC on the API level

mkg310 

Yes, it is possible to control access to specific APIs within Azure API Management Gateway. 

1. Group APIs Using Products - You can organize APIs into different Products and assign users or groups to these Products. This way, users can only see and access APIs within their assigned Products.

2. Assign RBAC Roles - Azure’s Role-Based Access Control (RBAC) lets you assign roles like Reader or API Developer at the API level, ensuring users only have access to the APIs they need.

3. Use Policies for Runtime Control - You can enforce restrictions at runtime by applying policies like validate-jwt, which checks user roles or claims in their token.

4. Control Visibility in the Developer Portal - By configuring API visibility to “Product,” you ensure that only users assigned to a Product can see its APIs in the Developer Portal.

This approach keeps API access secure and well-organized, providing flexibility to manage who sees and uses specific APIs.

Yes, by using Azure RBAC to manage access to APIs and other resources. You can assign different roles to users at various scopes, such as subscription, resource group, or individual API Management instance. Here are the steps:

1. Define Custom Roles: If the built-in roles do not meet your needs, you can create custom roles. For example, you can create a role that has read and write access to specific APIs only.
2. Assign Roles: Assign these roles to users at the appropriate scope. For instance, you can assign a custom role to a user at the API level, allowing them to manage only that specific API.

Another question:

Is it possible to hide only certains APIs on the developer Portal? Example: Ony API1 and API2 are visible on the Developer portal, API3 and API4 are hidden.

Thanks.