In order to protect sensitive and personal data, we would like to switch off the ability to trace API proxies in the production environment. What is the simplest way this can be done? This is in addition to field level masking currently being investigated.
You can restrict trace sessions via user roles and RBAC, see here https://docs.apigee.com/api-services/content/understanding-roles
Hope it helps