Using scope functionality in WSO2 API Manager, I am able to limit access to my back-end APIs like http://mydomain/context/students(GET - list of all students),http://mydomain/context/student/S101 (GET - details of student S101) or http://mydomain/context/student/create (POST) only to users who are assigned specific roles. That much fine-grained control, I am able to implement.
But I want to implement more detailed filtering : User U101 is allowed to view details of students S101 to S110 only. So http://mydomain/context/student/S111 should be blocked for him and http://mydomain/context/students should only return details of S101 to S110. Can I implement this filtering in WSO2 API manager? (I have an RDBMS table (part of back-end, not in WSO2) with the mapping of users to the list of students, whose details the user is allowed to access.)
In API Manager, any modification to the response content are done via mediation scripts. In you scenario, the role - content mapping should be stored in API Manager in order to filter the content. For this you can use a class mediator to filter the respose content.
In the mediator you have to get the role - content mapping. You can either define it in the class itself or retrieve it from your database.
Please follow documentation[1] and [2] for how to write a class mediator and how to use it.
[1] https://docs.wso2.com/display/EI600/Class+Mediator
[2] https://docs.wso2.com/display/AM210/Adding+Mediation+Extensions