I have a standard API Authorization use case to control Read Only and Read Write access to API.
In the okta developer account I have created two groups (trup-ro and trup-rw) and assigned various users to these groups.
I have created an application of type web named : trupctl
On the default Authorization Server, I have created two scopes trup-ro and trup-rw corresponding to the groups. I have created rule as follows
But what I am noticing is that the users who are not even members of the trup-rw group get the scope trup-rw in the access token if it is requested in the authorization_code flow.
Also I noticed in the demo videos for API Access Management a different AddRule form: