In Azure API Management instance deployed I have enabled both the Management API and the Developer Portal.
I can log into the Developer Portal (as a Developer, account added to Developer Group in Developer Portal blade in Azure Portal, no other permissions assigned to user), I can extract my acquired SAS token which portal uses in Authorization header and I can use this token to perform operations on the API Management instance via the Management API.
Is this correct? With the Developer Portal using the same API behind the scenes I understand some of the operations will be possible with SAS token assigned to the Developers, such as Create Subscription, edit displayName etc. (as this is all possible from the Developer Portal by the Developers). But should the Developers really be able to (for example) use the Management API/their developer portal token to change the scope of their approved subscription from one Product/API to another? This way they can gain access to a Product/API I did not approve under the 'approved' subscription from a previous subscription meant for a different authorized Product/API.
I would of expected such operations/capabilities to be available only to users in the Developer Portals Administrator's Group (or similar).
Is this correct behavior or is there some extra configuration I am not aware of to restrict such capabilities for 'Developers'. I do not want Developers to be manipulate subscriptions to gain access to Products/APIs they have not been approved access too. I also need the Management API enabled, so disabling this is not an option (but out of curiosity I disabled Management API and I could still edit subscriptions using same API as developer portal)
