A new security feature is introduced in the API Management service. Using the new tenants property you can specify the tenants that can access your resources. You can use this property similarly to other authorization options that are already available in the Builder.
Currently this feature is available on the API level.

The tenants property allows only the specified tenants to access your resources. You can set this property when you create a service, or at any time later.

This is a sample request to the API Management service to create a new service with an authorization rule that allows only the two user-defined tenants to access the specified resources. Line breaks are added for better readability.

curl -X POST https://api.eu.yaas.io/hybris/api-management/projects/myProject/services \
-H "Content-type: application/json" \
-H "Authorization: Bearer 0918th3-t0k3nz18eU-u09810n33d-1337eet" \
-d '{
  "name": "myservice",
  "version": "v1",
  "state": "DRAFT",
  "sourceUrl": "https://my.service.com/",
  "authorizationRules": [
        {
          "path": "/myservice/pathiwannasecure",
          "methods": ["POST", "DELETE"],
          "tenants": ["mytrustedtenant1", "mytrustedtenant2"]
        }
    ]
}'

As result, the newly created service allows only the mytrustedtenant1 and mytrustedtenant2 tenants to access the resources located under the /myservice/pathiwannasecure path.

If you want to use the tenants property and create a new authorization rule for a service that already exists, send a PUT request to the projects/{projectID}/services/{serviceID} endpoint of the API Management service.

Learn more:

• Read about the authorization rules in the related section of the YaaS Security documentation in the Dev Portal.
• For more information about the API Management service, see the related documentation and API console.