About global users
All Edge users are called global users because they are created outside of any Edge organization. Once created, a global user can then be assigned to one or more organizations:
When you assign a user to an organization, you must specify the user's role in that organization. The user's role determines the actions that the user is allowed to perform in that organization. For example, some users are allowed to create APIs, while others can view APIs but cannot modify them.
A global user can also be assigned to the role of Edge system administrator or Edge read-only system administrator. A system administrator performs all administrative tasks required to maintain Edge, including creating new global users.
In a Cloud-based installation of Edge, Apigee functions in the role of system administrator and read-only system administrator. You can only assign global users to the system administrator role in an Edge for the Private Cloud installation.
What information defines a user?
An Edge user is defined by a:
- First name
- Last name
- Email address
The email address and password function as the user's credentials when logging in to the Edge management UI and when making requests through the Edge management API.
What are roles?
On its own, a global user cannot do anything in Edge. For a global user to be able to function, the user must be assigned to a role. That role can be either:
- A system administrator role: For an Edge for the Private Cloud installation only, allows the user to perform all Edge administrative tasks.
- An organization role: For an organization, determines the actions allowed by the user in that organization.
Roles are essentially CRUD-based permission sets. CRUD means "create, read, update, delete". For example, a user may be given a role in an organization that permits read, or "get", access to details about a protected entity, but not write permission to update or delete it. The organization administrator is the highest-level role in the organization, and can perform any CRUD operation on any entity in the organization.
About predefined organization roles
All Edge organizations are created with the following roles with a predefined set of permissions:
- Organization administrator role
- Read-only organization administrator role
- Operations administrator role
- Business user role
- User role
You can also create custom roles, with custom permissions, in your organization.
About the system administrator roles
Edge supports the following system administrator roles:
When you install Edge for the Private Cloud, the installation script prompts you to create the global user who functions as the system administrator. After installation, you can assign additional global users to the system administrator role.
An Edge system administrator can:
- Create organizations, environments, and virtual hosts
- Add additional components to an Edge installation
- Configure TLS/SSL on a virtual host
- Create additional system administrators
- Perform all other Edge administrative tasks
While it is not required, you can assign a system administrator to an organization, typically as an organization administrator. Unless assigned to an organization, the system administrator cannot log in to the Edge management UI.
For more on the actions allowed by the system administrator, see the Edge Operations Guide available on the Apigee ftp site: ftp://ftp.apigee.com/.
Assigning global users to an organization
The following image shows the structure of an Edge organization:
An organization contains two distinct types of users:
- Organization users: Create, modify, and deploy APIs, create and manage entities such as API products, developers, and developer apps, generate analytics reports, and perform other administrative tasks. Organization users are Edge global users assigned to an organization with a specific role.
- Developers: Build the apps that make requests to your APIs. A developer is not an Edge global user. Think of developers as your API customers. To access the APIs in your organization, a developer must register with the organization and then request an API key. A developer can be registered with multiple organizations to consume APIs from different organizations.
The big difference between users and developers in an organization is that users are Edge global users that build and maintain APIs, while developers are customers that build apps that consume those APIs. Developers typically do not have global user accounts on Edge, and cannot log in to the Edge management UI. The exception to this is an organization user who creates their own developer and developer apps for testing purposes.
There is actually one more type of user that you have to be concerned with - the app user. This is the person who uses the apps created by developers. However, app users are not defined or controlled by Edge. It is up to you to decide how to implement authentication and authorization for app users. For example, an app might require the app user to log in. How you process that log in is up to you, possibly by accessing a backend LDAP service or other type of authentication mechanism.
For more on developers, see Publishing Overview.
Global user password security behavior
Apigee Edge provides the following safeguards for securing global user passwords.
- Lockout after 5 failed attempts: After 5 failed login attempts, users are locked out for 120 seconds before they can try logging in again.
- Password expiration: There is no password expiration for non-PCI (Payment Card Industry) organizations. This is also the default in an Apigee Edge for Private Cloud installation. For PCI-enabled organizations, passwords expire after 90 days. No advance notifications are sent when passwords are close to expiring.
- Password reset: Global users can use the "Forgot Password" functionality on the Edge UI login page to reset their passwords.
In Apigee Edge for Private Cloud, you can modify password security behavior. For more information, see Resetting Edge Passwords in the Apigee Edge for Private Cloud Operations Guide.
Help or comments?
- If something's not working: Ask the Apigee Community or see Apigee Support.
- If something's wrong with the docs: Send Docs Feedback
(Incorrect? Unclear? Broken link? Typo?)