services / Azure / APIM workspace product-group associations
The association binding APIM developer groups to a product within a workspace; membership in an associated group grants developers access to consume the product's APIs through the developer portal.
These are API Management developer-portal authorization constructs, not Azure RBAC identities; their blast radius is scoped to API/product consumption within the APIM service.
Microsoft.ApiManagement/service/workspaces/products/groups/write
Associating a group with a product grants all of that group's members access to the product's APIs, broadening entitlements and altering the gateway access-control configuration.
Risks
Scope: MEDIUM
This privilege may grant access to confidential data, or its exploit can incur operational cost.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog