services / Azure / API operation policies configuration
The policy configuration (XML pipeline of inbound/backend/outbound rules) applied at a single API operation, controlling authentication, authorization, IP filtering, rate limiting, request/response transformation, and backend routing.
APIM policies are the gateway's security and traffic-control enforcement layer for an endpoint; they are processing policies, not Azure IAM/RBAC.
Microsoft.ApiManagement/service/workspaces/apis/Operations/Policies/delete
Deleting the operation policy strips its enforced security controls (auth, IP filtering, rate limiting, validation) and reverts request handling to default, weakening defenses and altering operational behavior at that endpoint.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security