Merge pull request #228545 from dlepow/open

prmerger-automator[bot] · web-flow · commit cb92b909458a · 2023-02-25T01:50:53.000Z
[APIM] Open product clarification
diff --git a/articles/api-management/api-management-howto-add-products.md b/articles/api-management/api-management-howto-add-products.md
@@ -186,7 +186,7 @@ After you publish a product, developers can access the APIs. Depending on how th
 
     When a client makes an API request without a subscription key:
     
-    * API Management checks whether the API is associated with an open product. 
+    * API Management checks whether the API is associated with an open product. An API can be associated with at most one open product.
 
     * If the open product exists, it then processes the request in the context of that open product. Policies and access control rules configured for the open product can be applied. 
 
diff --git a/articles/api-management/api-management-subscriptions.md b/articles/api-management/api-management-subscriptions.md
@@ -125,7 +125,7 @@ When API Management receives an API request from a client with a subscription ke
 
 When API Management receives an API request from a client without a subscription key, it handles the request according to these rules: 
 
-1. Check first for the existence of a product that includes the API but doesn't require a subscription (an *open* product). If the open product exists, handle the request in the context of the APIs, policies, and access rules configured for the product. 
+1. Check first for the existence of a product that includes the API but doesn't require a subscription (an *open* product). If the open product exists, handle the request in the context of the APIs, policies, and access rules configured for the product. An API can be associated with at most one open product.
 1. If an open product including the API isn't found, check whether the API requires a subscription. If a subscription isn't required, handle the request in the context of that API and operation.
 1. If no configured product or API is found, then access is denied (401 Access denied error).
 
@@ -141,7 +141,7 @@ The following table summarizes how the gateway handles API requests with or with
 |❌<sup>1</sup>     | ✔️    | Access allowed:<br/><br/>• Product-scoped key<br/>• API-scoped key<br/>• All APIs-scoped key<br/>• Service-scoped key<br/><br/>Access denied:<br/><br/>• Other key not scoped to applicable product or API        |    Access allowed (open product context)     | •	Protected API access with API-scoped subscription<br/><br/>•	Anonymous access to API. If anonymous access isn’t intended, configure with product policies to enforce authentication and authorization  |
 |❌<sup>1</sup>     |  ❌      | Access allowed:<br/><br/>• Product-scoped key<br/>• API-scoped key<br/>• All APIs-scoped key<br/>• Service-scoped key<br/><br/>Access denied:<br/><br/>• Other key not scoped to applicable product or API        | Access allowed (open product context)        | Anonymous access to API. If anonymous access isn’t intended, configure with product policies to enforce authentication and authorization  |
 
-<sup>1</sup> An open product exists.
+<sup>1</sup> An open product exists that's associated with the API. 
 
 ### Considerations
 
