Creating global users

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation.
info

Create a global user through the Edge UI, Edge API, or directly from the Apigee web site, as described below.

  • Edge UI
    For both Edge for Public Cloud and Edge for Private Cloud, an organization administrator uses the Edge UI to add a global user to an existing organization with a specific role. If the user already exists, the user is added to the organization.

    If the user does not exist, then Edge creates the user and sends the user an email message to activate the account and to set a password. The user appears in the Edge UI immediately, even before the user activates the account.

    While the organization administrator does not have the permission necessary to directly create the user, adding a new user to the organization in the Edge UI initiates the Edge workflow that creates the user.
  • Edge API
    In an Edge for Private Cloud installation, a system administrator uses the Edge API to create a global user.

    After creating the user, you must make a second API call to add the user to a system administrator role, to an organization and organization role, or both. The new user cannot sign in to the Edge UI until added to an organization.

  • Apigee web site
    Anyone can register for a free Edge cloud account at https://login.apigee.com/sign_up. When you create an account directly on Edge, Edge automatically creates a global user and an organization for you, and your user account is assigned to the role of organization administrator for your organization. After you create the account, another organization administrator can add you to their organization.

    See Creating an Apigee Edge account for more.

Creating a global user through the Edge UI

An organization administrator can create a user in the Edge UI, and assign a role to the new user in the organization:

  1. Access the User page, as described below.

    Edge

    To access the Users page using the Edge UI:

    1. Sign in to https://apigee.com/edge as an organization administrator.
    2. Select Admin > Users.

      If you are not an organization administrator, this menu is not available.

    Classic Edge (Private Cloud)

    To access the Users page using the Classic Edge UI:

    1. Sign in to http://ms-ip:9000 as an organization administrator, where ms-ip is the IP address or DNS name of the Management Server node.
    2. Select Admin > Organization Users.
  2. Click + User.

    The New User page displays.

  3. Enter the user's email address.
  4. Select the roles you want to assign to the user.
    You can add more than one role to a user.
  5. Click Save.

    The user appears in the Edge UI and Edge sends the new user an email with instructions to activate their account and sign in.

The user can sign in to the Edge UI using one of the following:

  • Email address
  • Username, which is the part of the email address before @.

Creating a global user through the Edge API

In Apigee Edge for Private Cloud, adding a new user through the Edge API is a two-step process:

  1. As the system administrator, make the API call to add the new global user:
    curl -H "Content-Type:application/xml" -u <sysAdminEmail:pword> \
      -X POST https://<ms_IP>:8080/v1/users \
      -d '<User> \
        <FirstName>Foo</FirstName> \
        <LastName>Bar</LastName> \
        <Password>myPword</Password> \
        <EmailId>foo@bar.com</EmailId> \
      </User>'
    
    where <ms_IP> is the IP address or DNS name of the Edge Management Server.
  2. Assign the new user to a role by performing one or both of the following:
    1. If the new user is going to function as a system administrator, then as the system administrator use the following API call to add the user to the system administrator role, sysadmin, or read-only system administrator role, sysadmin-readonly:
      curl -u <sysAdminEmail>:<passwd> \
       -X POST https://<ms_IP>:8080/v1/userroles/sysadmin/users \
       -d 'id=foo@bar.com'
      
    2. As the system administrator or organization administrator, assign the new user to a role in an organization. A global user does not appear in the Edge UI, and cannot log into the Edge UI, until that user is assigned to a role in an organization.
      curl -H "Content-Type:application/x-www-form-urlencoded" \
        -u <orgOrSysAdminEmail:pword> -X POST \
        https://<ms_IP>:8080/v1/organizations/{org_name}/userroles/{role_name}/users?id=foo@bar.com
      
      Replace {role_name} with the specific role for the new user. Roles include:
      • Organization administrator: orgadmin
      • Read-only organization administrator (Cloud only): readonlyadmin
      • Operations administrator: opsadmin
      • Business user: businessuser
      • User: user

Performing additional tasks to manage users

The following table shows operations that you can perform on a global user.

Many of these operations, such as deleting a global user, require system administrator privileges. For a Cloud-based installation of Edge, contact Apigee Edge Support to perform these actions. For an Edge for Private Cloud installation, the system administrator can perform them.

Action

Required role

How

Manage global users

List all users

sys admin

API

Add user*

sys admin

API*

Delete user

sys admin

API

Changing user password or other information

sys admin

API

List all roles for user

sys admin

API

*While only the sys admin can create the user, an organization administrator can trigger the workflow by adding a new user to an organization in the Edge management UI.

Manage sys admin roles

List sys admin roles

sys admin

API

Add user to sys admin role

sys admin

API

List users in sys admin role

sys admin

API

Remove user from sys admin role

sys admin

API

Manage organization roles

List Roles of Organization

sys admin

org admin

API/UI

Add a user to a role

sys admin

org admin

API/UI

Get users for a role

sys admin

org admin

API/UI

List users in an organization**

sys admin

org admin

UI

Remove user membership in role

sys admin

org admin

API/UI

For additional operations, see User roles

sys admin

org admin

API/UI

** There is no single API call that lists all users in an organization. Instead, you make one call to get all roles in the organization. Then you iterate through the list of roles to get all users in each role.