First, I'll assume there is an OAuth token that the client is sending in. The token can be an opaque token, or a JWT access token. In either case, Apigee can inspect and validate the token and determine what claims (in the case of JWT) or attributes (in the case of an opaque Apigee token) are on the token.

A few things to consider:

• If you have a claim or attribute on the token that asserts the userid, then ... you can check for access to /user/USERID . You could use an ExtractVariables policy to extract the relevant segment from the URL and then compare it to the claim/attr in the token, and reject (403) if there is no match.
• Assuming the same kind of claim/attr in the token you could also provide auto-pathing, where Apigee would accept a path like /users/me, and then map the keyword "me" to the actual userid in the token.
• Finally if there is a url space that does not map directly to the userid, ... in other words user 1234 can GET /B but usr /3456 can get /A and /C , that is a set of authorization rules, and you probably want to externalize that into a ruleset that Apigee calls into. I have used a Google Sheet (yes!) to store the ruleset, and have Apigee call out to the Sheet via API, it works really well. It's on my list to do a community post, screencast and publish a git repo with this demonstration.