Azure API Management - Management API & Developer Portal SAS Token Access to Instance Data?
Question
In Azure API Management instance deployed I have enabled both the Management API and the Developer Portal.
I can log into the Developer Portal (as a Developer, account added to Developer Group in Developer Portal blade in Azure Portal, no other permissions assigned to user), I can extract my acquired SAS token which portal uses in Authorization header and I can use this token to perform operations on the API Management instance via the Management API.
Is this correct? With the Developer Portal using the same API behind the scenes I understand some of the operations will be possible with SAS token assigned to the Developers, such as Create Subscription, edit displayName etc. (as this is all possible from the Developer Portal by the Developers). But should the Developers really be able to (for example) use the Management API/their developer portal token to change the scope of their approved subscription from one Product/API to another? This way they can gain access to a Product/API I did not approve under the 'approved' subscription from a previous subscription meant for a different authorized Product/API.
I would of expected such operations/capabilities to be available only to users in the Developer Portals Administrator's Group (or similar).
Is this correct behavior or is there some extra configuration I am not aware of to restrict such capabilities for 'Developers'. I do not want Developers to be manipulate subscriptions to gain access to Products/APIs they have not been approved access too. I also need the Management API enabled, so disabling this is not an option (but out of curiosity I disabled Management API and I could still edit subscriptions using same API as developer portal)
1 answers
solution1
0 2021-04-01 01:00:32
You're not actually disabling Management API itself, you're disabling integration account only.
SAS token issued to the users is user-specific and there is a limited number of actions that one can perform with it, mostly related to the user's resources. Changing the scope of subscription is not one of them.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.