Currently, it is not possible to have SMOs visible or hidden on OData API Endpoint based on configuration or access permissions to that particular API. The user will always see all exposed SMOs on the endpoint and will be able to execute SMO methods (at least List method). That poses a security limitation. For example, when users use Excel or PowerBI, they will be able to choose any of the exposed SMOs and access data in a data source.

It would be preferred if we could have the possibility to configure security for exposed SMOs, so that we can configure users/groups that are allowed to see particular SMOs exposed on OData Endpoint. In that way, when users open API Endpoint, they would only see subset of exposed SMOs for which they have permissions configured.