I have 10 API Gateway "service call policies" all using the same template (Oauth2 Token check -> Json Request -> Route to backend Middleware system -> Response).
I have 2 LDAP groups with some common users across two groups. All the users within one group has same level of permission.
Both the Group's users are using the same client_Id & Secret for generating Oauth2 token using a common "Login" policy.
Is there any restriction or policy/assertion which can be implemented In the "service call policy" to prevent a user from accessing one "service call policy" but not the other ?