services / Azure / APIM workspace group users
The membership linking developer-portal user accounts to an APIM workspace group; membership confers the group's product/API access on the user.
These are API Management developer-portal authorization constructs, not Azure RBAC identities; their blast radius is scoped to API/product consumption within the APIM service.
Microsoft.ApiManagement/service/workspaces/groups/users/write
Adds an existing user to a group, granting that (possibly attacker-controlled) developer account all the product/API access the group confers, escalating its effective privileges.
Risks
Scope: MEDIUM
This privilege may grant access to confidential data, or its exploit can incur operational cost.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog