Hi Jens,
Thank you for your question.
Best practice is to create multiple APIs (or API products) aligned to consumer intent and access level, and use subscriptions to control who can access what. Policies should remain simple and reusable, not overloaded with conditional role logic.
This approach aligns with industry standards and is also the architecture APIM 3.0 is designed to support.
Option 2 – Multiple APIs + subscriptions is the recommended approach
What most teams do in practice is adopt a hybrid approach
Use API / product boundaries for coarse access control
Use policies for cross-cutting (different policy control areas)
Avoid deep endpoint-level role logic unless it’s truly exceptional use case
Think of policies as guardrails, not decision trees. If the rule is about security, protection, or observability ➡️ policy
If the rule is about who can do what ➡️ API/product + subscription
