This issue is forked from https://issues.jboss.org/browse/THREESCALE-628 and it is issue in Activedocs for 3scale API docs. Please look at https://issues.jboss.org/browse/THREESCALE-628?focusedCommentId=13583534&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13583534 for details.

There are issues at ActiveDocs pages:

In Swagger "Simple Echo API" example user can see list of services including services which should be hidden for user because he/she is no authorized to see them
In 3scale-admin.domain/p/admin/api_docs user who is not authorized for that(only member permission, all "This user can access" unmarked) can see for example list of users for "User Read" -> account id or id