services / Azure / APIM workspace group users
The membership linking developer-portal user accounts to an APIM workspace group; membership confers the group's product/API access on the user.
These are API Management developer-portal authorization constructs, not Azure RBAC identities; their blast radius is scoped to API/product consumption within the APIM service.
Microsoft.ApiManagement/service/workspaces/groups/users/delete
Removes a user from a group, revoking the product/API access that membership conferred and denying that developer their authorized access.
Risks
Scope: MEDIUM
This privilege may grant access to confidential data, or its exploit can incur operational cost.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog