This topic involves creating and managing administrative users on your API team who develop and test APIs, run reports, and perform other API admin tasks. Administrative users and roles do not apply to app developers, the consumers of your API. For information on controlling app developer access to your APIs, see Publishing Overview.

You access user and role management in the Admin menu of the management UI.

Before you and your team can start using Apigee Edge for creating and managing APIs, you need to have an account and an organization. Once you have an account and an organization, if you're an administrator, you have access to the Admin tab on Apigee Edge where you can add and modify users. As part of adding or modifying users, you set the user's role.

Users can be assigned to more than one role. If a user has multiple roles assigned, the greater permission takes precedence. For example, if one role doesn't allow the user to create API proxies, but another role does, then the user can create API proxies. In general, it is not a common use case to assign users multiple roles. See "Adding roles to a user" below. 

See Creating an Apigee Edge account for more information on creating Edge accounts.

This topic applies to API management, not API BaaS, which has its own user management framework.

About user roles

In Apigee Edge, user roles form the basis of role-based access, meaning that you can control what functions a person can access by assigning them a role (or roles). By default, your role is set based on how you create your account:

  • If you create your own Edge account, your role is set to organization administrator in your organization. If you add users to your organization, you set the user role (or roles) at the time that you add them. If you are later added to another organization, your role is determined by the administrator of that organization.
  • If an administrator creates your account, your role (or roles) is determined by the administrator. An organization administrator can later change your role(s) if necessary. See "Adding roles to a user" below. 

 The following roles and permissions are available by default: 

By default, all users associated with an organization can view details about other organization users, such as email address, first name, and last name. Only users with the Organization Administrator role can add or update other organization users.

Permissions User Business
User
Organization
Administrator
Read-only
Organization
Administrator*
Operations
Administrator
APIs          
View the list and details of an organization's APIs.
Modify and delete API details.
yes yes yes View only yes
Create, update, and delete APIs yes no yes no no
API deployment          
Deploy API proxies to a test environment yes no yes no yes
Deploy API proxies to a production environment no no yes no yes
API trace          
Create and delete trace sessions and get their data
in a test environment
yes yes yes no yes
Create and delete trace sessions and get their data
in a production environment
yes no yes no yes
Products          
View API products yes yes yes yes yes
Create, update, and delete API products no yes yes no no
Developers          
View developers yes yes yes yes yes
Create, update, and delete developers no yes yes no no
Developer apps          
View developer apps yes yes yes yes yes
Create, update, and delete developer apps no yes yes no no
Analytics          
View custom reports yes yes yes yes yes
Create, update, and delete custom reports no yes yes no no
Users and roles          
View users and roles no no yes yes no
Create, update, and delete users no no yes no no
Create, update, and delete user roles no no yes no no
Environments          
View cache details yes yes yes yes yes
Create, update, and delete caches no no yes no no
View virtual host details yes yes yes no yes

*Read-only Organization Administrator has access to the same entities as an Organization Administrator but access is read only. This role is for OPDK installations only, not for the cloud.

Creating roles

You can configure more complex roles and permissions using the User Roles API. See Role-based access control.

Viewing user data

The Organization Users table on the Admin > Organization Users page lists all of the users attached to the current organization. For each user you can see:

By default, all users associated with an organization can view details about other organization users, such as email address, first name, and last name. Only users with the Organization Administrator role can add or update other organization users.

  • Name: The name of the user you entered when you created the user.
  • Primary email: The email address you entered when you created the user.
  • Role: The role of the user, which determines the degree of access. By default, all users have a user role that gives them full access to all features in Apigee.

Adding users

Users of API Services are members of the API team who develop and test the API, or run reports—not external developers. To add an organization user:

  1. In the Edge management UI, while logged in as an organization administrator, select Admin > Organization Users.
  2. Click + User. The "Add a User" screen appears.
  3. Enter the user's First Name, Last Name, and Email.
  4. Select the Role or Roles you want to offer to the users. See also See "Adding roles to a user" below. 
  5. Click Save.

The First Name, Last Name, and Email Address fields are editable, so if needed, you can change what you initially entered for the user. You can also change the role selection if needed.

Adding roles to a user

You can add one or more roles to a user when you create a new user or if you edit an existing user. 

If a user has multiple roles assigned, the greater permission takes precedence. For example, if one role doesn't allow the user to create API proxies, but another role does, then the user can create API proxies. In general, it is not a common use case to assign users multiple roles.

  1. Select Admin > Organization Users.
  2. Either click + User or click an existing user.
  3. Click in the Roles field, and a dropdown appears.
  4. Select a role to add.
  5. Repeat steps 3 and 4 to add additional roles to the user if you want.

Deleting users

There are two ways to delete a user:

  • To remove a user from your account, select the user in the Organization Users table and click Delete. This only removes the user from the current account. If the user is a member of multiple accounts, they remain in the system.
  • To remove a user from Apigee completely, contact Apigee Support.

 

Help or comments?

  • Something's not working: See Apigee Support
  • Something's wrong with the docs: Click Send Feedback in the lower right.
    (Incorrect? Unclear? Broken link? Typo?)