API Access Management: Access Policy

I have a standard API Authorization use case to control Read Only and Read Write access to API.

In the okta developer account I have created two groups (trup-ro and trup-rw) and assigned various users to these groups.

I have created an application of type web named : trupctl

On the default Authorization Server, I have created two scopes trup-ro and trup-rw corresponding to the groups. I have created rule as follows

But what I am noticing is that the users who are not even members of the trup-rw group get the scope trup-rw in the access token if it is requested in the authorization_code flow.

Also I noticed in the demo videos for API Access Management a different AddRule form:

where in you would see the difference in the ability to specify scopes in a THEN Grant clause.. is that a Paid account feature?

I think there is a misunderstanding here probably.

You need to create a rule which says, that whoever requesting scope “…rw” should belong to group “…rw”.

My first rule limits, who can access scope “groups” (it’s my existing scope). So you would need to create a rule for your “rw” scope, and allow all scopes in your default rule (I’m assuming “ro” is allowed to anyone assigned to the application)