Hi,

Please add the ability to match against any of a set of possibly orthogonal roles for an endpoint pattern (i.e. an 'OR' condition) rather than just AND-ing over all endpoint policies.

Currently, the apiman authorization policy treats roles as endpoint claims with its mapping of a single role to a given endpoint pattern and http verb. To allow role A OR role B access to an endpoint matching the pattern (e.g. as flowed through the Keycloak authentication policy plugin), both A and B would have to share a common role/claim for that endpoint. When externalizing fine-grained API authorization into apiman, the current AND-ing behavior causes an explosion in roles. It would great to have the option to use higher-level roles and just match a given pattern to any role in the list A,B,...

Thanks in advance!
Robert