This topic explains how to create custom roles in the management UI. Only an organization administrator can create custom roles.
What are custom roles?
Each Edge organization comes with a few built-in roles that provide different permission levels. You can assign administrative users to any of these roles. However, you can also create unique roles that include the exact permissions you want. For example, you might want a role that allows access to API proxies only, nothing else. To do that, you'd create a custom role.
You can create custom roles to fine-tune access to these Apigee Edge entities. For example:
- API proxies
- API products
- Developer apps
- Environments (Trace tool sessions and deployments)
- Custom reports (Analytics)
You can achieve even more granularity by applying role based access to specific instances of an entity. For example, you can apply role-based access to all API products or to specific ones.
More granular permissions take precedence over less granular ones. For example, permissions applied to a specific developer app take precedence over a less-granular permission applied to all developer apps.
Whole groups of entities vs. single instances
You can set some custom role permissions on a group of entities (e.g., all API products) or on a single instance (e.g., one specific product).
If you set permissions on an instance, a privileged user can perform the permitted operations on that instance only. If set on a group (e.g., all API proxies), the user can perform the operations on any instance in the collection.
You can also enable deploy and trace options on APIs and caches. These operations are also environment specific. That is, you can allow a role to deploy only to the prod environment.
Using the management UI to create custom roles
An org administrator can create custom roles through the management UI.
- Go to Admin > Organization Roles.
- Click + Custom Role.
- Use the New Custom Role dialog to create the custom role.
The following screen shot shows part of the New Custom Role dialog. For example, this role is
called WeatherApiRole, and it allows a user to view, edit, and delete an API proxy with the path
/weatherapi. In addition, this user can view trace sessions in both prod and test
environements, but can only deploy to the test environment.
Using the API to create and assign roles
You can also use the management API to create custom roles and assign roles to users. For details, see Creating roles with the API.