I have question about the separation of the publishers.
If we want the publishers to manage only their own API, can we restrict them to see/update APIs published by other publishers? Or do we need to create a separate tenant?
In theory - there's possibility to restrict API visibility to a specific role, but there's a way around. If a publisher is displaying statistics - the statistics shows records for APIs which should not be visible to the user without the specific restriction role. Clicking on a statistics records (e.g. number of subscriptions) the user will gain access to edit API which should not be seen. So - now we have security by obscurity.
For the store and gateway - indeed the role is checked. Here I'm considering the publishers