You refer to [1] for this task.
According to [1], you can define a scope (can be shared or local) that belongs to a particular user role(s). For example, if you define a scope named test
by adding the user roles Internal/subscriber
and admin
, and add this scope to your resource (which is /resource/{id}
). So, only the users who have the role Internal/subscriber
or admin
with the scope test
can invoke the resource.
I hope your problem will get solved by this.
[1] https://apim.docs.wso2.com/en/3.2.0/learn/api-security/oauth2/oauth2-scopes/fine-grained-access-control-with-oauth-scopes/