About global users

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation.
info

All Edge users are called global users because they are created outside of any Edge organization. Once created, a global user can then be assigned to one or more organizations:

When you assign a user to an organization, you must specify the user's role in that organization. The user's role determines the actions that the user is allowed to perform in that organization. For example, some users are allowed to create APIs, while others can view APIs but cannot modify them.

A global user can also be assigned to the role of Edge system administrator or Edge read-only system administrator. A system administrator performs all administrative tasks required to maintain Edge, including creating new global users.

What information defines a user?

An Edge user is defined by a:

  • First name
  • Last name
  • Email address
  • Password

The email address and password function as the user's credentials when logging in to the Edge management UI and when making requests through the Edge management API.

What are roles?

On its own, a global user cannot do anything in Edge. For a global user to be able to function, the user must be assigned to a role. That role can be either:

  • A system administrator role: For an Edge for the Private Cloud installation only, allows the user to perform all Edge administrative tasks.
  • An organization role: For an organization, determines the actions allowed by the user in that organization.

Roles are essentially CRUD-based permission sets. CRUD means "create, read, update, delete". For example, a user may be given a role in an organization that permits read, or "get", access to details about a protected entity, but not write permission to update or delete it. The organization administrator is the highest-level role in the organization, and can perform any CRUD operation on any entity in the organization.

About predefined organization roles

All Edge organizations are created with the following roles with a predefined set of permissions:

  • Organization Administrator
  • Read-only Organization Administrator
  • Operations Administrator
  • Business User
  • User

You can also create custom roles, with custom permissions, in your organization.

For more, see Creating custom roles in the UI or Creating roles with the API.

About the system administrator roles

Edge supports the following system administrator roles:

When you install Edge for the Private Cloud, the installation script prompts you to create the global user who functions as the system administrator. After installation, you can assign additional global users to the system administrator role.

An Edge system administrator can:

  • Create organizations, environments, and virtual hosts
  • Add additional components to an Edge installation
  • Configure TLS/SSL on a virtual host
  • Create additional system administrators
  • Perform all other Edge administrative tasks

Specific actions that system administrators can perform are described throughout the Edge for Private Cloud documentation.

Assigning global users to an organization

The following image shows the structure of an Edge organization:

An organization contains two distinct types of users:

  • Organization users: Create, modify, and deploy APIs, create and manage entities such as API products, developers, and developer apps, generate analytics reports, and perform other administrative tasks. Organization users are Edge global users assigned to an organization with a specific role.
  • Developers: Build the apps that make requests to your APIs. A developer is not an Edge global user. Think of developers as your API customers. To access the APIs in your organization, a developer must register with the organization and then request an API key. A developer can be registered with multiple organizations to consume APIs from different organizations.

The big difference between users and developers in an organization is that users are Edge global users that build and maintain APIs, while developers are customers that build apps that consume those APIs. Developers typically do not have global user accounts on Edge, and cannot log in to the Edge management UI. The exception to this is an organization user who creates their own developer and developer apps for testing purposes.

For more on developers, see Introduction to publishing.