Send Docs Feedback

Note: Most user interface tasks can be performed in Edge Classic or the New Edge experience. For an overview, getting started topics, and release notes specific to the New Edge experience, see the docs.

About global users

All Edge users are called global users because they are created outside of any Edge organization. Once created, a global user can then be assigned to one or more organizations:

When you assign a user to an organization, you must specify the user's role in that organization. The user's role determines the actions that the user is allowed to perform in that organization. For example, some users are allowed to create APIs, while others can view APIs but cannot modify them. 

A global user can also be assigned to the role of Edge system administrator or Edge read-only system administrator. A system administrator performs all administrative tasks required to maintain Edge, including creating new global users.

In a Cloud-based installation of Edge, Apigee functions in the role of system administrator and read-only system administrator. You can only assign global users to the system administrator role in an Edge for the Private Cloud installation. 

What information defines a user?

An Edge user is defined by a:

  • First name
  • Last name
  • Email address
  • Password

The email address and password function as the user's credentials when logging in to the Edge management UI and when making requests through the Edge management API. 

What are roles?

On its own, a global user cannot do anything in Edge. For a global user to be able to function, the user must be assigned to a role. That role can be either:

  • A system administrator role: For an Edge for the Private Cloud installation only, allows the user to perform all Edge administrative tasks.
  • An organization role: For an organization, determines the actions allowed by the user in that organization.  

Roles are essentially CRUD-based permission sets. CRUD means "create, read, update, delete". For example, a user may be given a role in an organization that permits read, or "get", access to details about a protected entity, but not write permission to update or delete it. The organization administrator is the highest-level role in the organization, and can perform any CRUD operation on any entity in the organization.

About predefined organization roles

All Edge organizations are created with the following roles with a predefined set of permissions:

You can also create custom roles, with custom permissions, in your organization.

For more, see Creating custom roles in the UI or Creating roles with the API.

About the system administrator roles

Edge supports the following system administrator roles:

When you install Edge for the Private Cloud, the installation script prompts you to create the global user who functions as the system administrator. After installation, you can assign additional global users to the system administrator role. 

An Edge system administrator can:

  • Create organizations, environments, and virtual hosts
  • Add additional components to an Edge installation
  • Configure TLS/SSL on a virtual host
  • Create additional system administrators
  • Perform all other Edge administrative tasks

While it is not required, you can assign a system administrator to an organization, typically as an organization administrator. Unless assigned to an organization, the system administrator cannot log in to the Edge management UI.

For more on the actions allowed by the system administrator, see the Edge Operations Guide available on the Apigee ftp site: ftp://ftp.apigee.com/.

Assigning global users to an organization

The following image shows the structure of an Edge organization:

An organization contains two distinct types of users:

  • Organization users: Create, modify, and deploy APIs, create and manage entities such as API products, developers, and developer apps, generate analytics reports, and perform other administrative tasks. Organization users are Edge global users assigned to an organization with a specific role.
  • Developers: Build the apps that make requests to your APIs. A developer is not an Edge global user. Think of developers as your API customers. To access the APIs in your organization, a developer must register with the organization and then request an API key. A developer can be registered with multiple organizations to consume APIs from different organizations. 

The big difference between users and developers in an organization is that users are Edge global users that build and maintain APIs, while developers are customers that build apps that consume those APIs. Developers typically do not have global user accounts on Edge, and cannot log in to the Edge management UI. The exception to this is an organization user who creates their own developer and developer apps for testing purposes.

There is actually one more type of user that you have to be concerned with - the app user. This is the person who uses the apps created by developers. However, app users are not defined or controlled by Edge. It is up to you to decide how to implement authentication and authorization for app users. For example, an app might require the app user to log in. How you process that log in is up to you, possibly by accessing a backend LDAP service or other type of authentication mechanism.  

For more on developers, see Publishing Overview.

Help or comments?