Restrict the Operation at Consumer Level

Customer’s requirement:
We have a requirement that we want to restrict the operation/Method at consumer level not at API Level?
Is this can be done because as of now if we restrict the operation it is effecting to all consumers but we want this can be done at specific consumer

From support, we suggested if the scopes can help. However, customer came back with the following observation:
“I have created multiple scopes for one scope I selected one operation and the security i provided is APIKey and for other i selected another operation and the security provided is APIKey.
But when I assign application to the API it will execute both the operations because the application cannot identify the scope.
This scope will work when some operations wants to use http basic authentication and some operations uses APIKey in that case the scope is the best option to work.”

Please let me know if this requirement can be met or if this comes as a feature request.

This question is asked at the same time in AskAPIManagement community and also asked here. Since it was already answered in the AskAPIManagement community, I am updating the gist of the replies from the community.

"The customer’s requirement can be solved using OAuth. Customers can create different scopes for a single API (this can be done in the API Details page) and associate different operations to these scopes.

Then in the OAuth scope mapping, they can map the API scopes created in the previous step to the OAuth scopes.

When creating an application, the users can decide which OAuth scopes to consume and the tokens will be issued only to those scopes and these tokens cannot be used to consume other scopes."


“OAuth is meant for limited access not API key. So please recommend OAuth scopes for customer”.