services / Azure / APIM workspace product-group associations
The association binding APIM developer groups to a product within a workspace; membership in an associated group grants developers access to consume the product's APIs through the developer portal.
These are API Management developer-portal authorization constructs, not Azure RBAC identities; their blast radius is scoped to API/product consumption within the APIM service.
Microsoft.ApiManagement/service/workspaces/products/groups/delete
Deleting the group-product association revokes API access for all members of that group and tears down an access-control binding, denying authorized developers their access.
Risks
Scope: MEDIUM
This privilege may grant access to confidential data, or its exploit can incur operational cost.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog