Restrict single APIs instead of products (OAuth Scope?)

Hi,

in SAP API Management we are exposing APIs bundled in products. We are able to give "discovery" and "subscription" priviliges to users to restrict access.

My (probably very common) scenario is following: A developer should have access to a product, but should'nt be able to access/call every single API within the product. What is the best way to achieve this? My idea was to use OAuth Scopes, I don't know how to implement this though. At the moment APIs are ony restricted by OAuth key/secret.

Thank you