问题
I have question about the separation of the publishers.
If we want the publishers to manage only their own API, can we restrict them to see/update APIs published by other publishers? Or do we need to create a separate tenant?
In theory - there's possibility to restrict API visibility to a specific role, but there's a way around. If a publisher is displaying statistics - the statistics shows records for APIs which should not be visible to the user without the specific restriction role. Clicking on a statistics records (e.g. number of subscriptions) the user will gain access to edit API which should not be seen. So - now we have security by obscurity.
For the store and gateway - indeed the role is checked. Here I'm considering the publishers
回答1:
By design, all APIs in a single tenant is visible to every publisher in that tenant. Role-based visibility is applicable only to the store.
If you create multiple tenants, you can isolate APIs. If you want to access all of them in the store, you can set the API visibility to "public".
来源:https://stackoverflow.com/questions/42003881/wso2-apim-security-separation-of-the-publisher-access