Hi Paul, - just cutdown answer of the one I sent via email :
The feature "Idea" to allow services to be selected, is discussed here:
https://communities.ca.com/ideas/235726554
And in the discussion, there is links to the two workarounds, i developed both with their situation in mind:
1) global pre-service policy doing a check before the service is called.
2) listen port hardcoded to specific service, and that service vets the access and then forwards to a proxy.
Normally there would be two API Gateways, internal one with restman installed, and the external one, not having it installed, but could then forward it onto the internal one.
Cheers - Mark