Apigee roles

This section describes the Apigee-specific roles that you commonly assign to users.

Apigee-specific roles

Apigee provides a set of pre-defined (or curated) roles called Apigee roles. Most Apigee roles can, at a minimum, list environments and projects within your Apigee organization.

The following table describes the general set of permissions for the curated roles have:

Pre-Defined Role Name Description Permissions
Apigee Org Admin A super user that has full access to all Apigee resources in the Apigee organization. Can access all available actions for all APIs.
Apigee API Creator A developer that creates and tests API proxies. Has read access to the following:
  • API products
  • Apps

Can edit:

  • API proxies
  • Shared flows
  • Key Value Maps (KVMs)
Apigee Deployer Deploys and undeploys API proxies to the runtime. Has read access to the following:
  • API products
  • Apps
  • API proxies

Can edit:

  • Flow hooks
  • Keystores
  • KVMs
  • Shared flows
  • Target servers

Can also deploy and undeploy API proxy revisions.

Apigee Developer Administrator Manages developer access to apps. Has read access to the following:
  • API products

Can edit:

  • App keys
  • Companies
  • Company apps
  • Developer apps
  • Developers
Apigee Read Only Administrator An administrator who can run reports and view everything in the Apigee organization without the ability to create or change anything. Has read access to all Apigee resources within the Apigee organization.

Your GCP project’s service account is assigned this role during setup and installation.

Apigee Analytics Viewer Can view environment statistics. None.
Apigee Analytics Editor Creates and analyzes reports on API proxy traffic for an Apigee organization. Can edit the following:
  • Queries
  • Reports

The next section shows specific permissions for each of these roles per API.

Apigee role permissions

The following table lists the specific permissions for each role:

Default (built-in) Role
Apigee API
(apigee.*)
Apigee Org Admin Apigee Read Only Administrator Apigee API Creator Apigee Deployer Apigee Developer Administrator Apigee Analytics Viewer Apigee Analytics Editor
apiproducts * G,L G,L G,L G,L - -
apiproductsattributes * G,L G,L G,L G,L - -
appkeys * G,L - - G,C,M,D - -
apps * G,L G,L G,L - - -
companies * G,L - - G,L,C,U - -
companyapps * G,L - - G,L,C,U - -
deployments * G,L - * - - -
developerappattributes * G,L - - * - -
developerapps * G,L - - * - -
developerattributes * G,L - - * - -
developers * G,L - - * - -
environments * G,L,GS,GIP,GDL G,L,GS G,L,GS,GIP,SIP G,GS GS G,GS
flowhooks * G,L,GSF - * - - -
keystorealiases * G,L - * - - -
keystores * G,L * - - -
keyvaluemaps * G,L L,C,D * - - -
oauth2accesstokens * G,L - - - - -
oauth2authorizationcodes * G,L - - - - -
oauth2refreshtokens * G,L - - - - -
organizations * G,L G,L G,L G,L G,L G,L
proxies * G,L G,L,C,D G,L - - -
proxyrevisions * G,L G,L,U,D G,L,DP,UN - - -
queries * G,L - - - - G,L,C
reports * G,L - - - - G,L,C,U,D
sharedflowrevisions * G,L * * - - -
sharedflows * G,L G,L,C,D * - - -
targetservers * G,L - * - - -
resourcemanager.projects G,L,GIP G,L,GIP G,L G,L,GIP G,L,GIP G,L G,L
KEY:
C: Create          GDL: getDataLocation
D: Delete          GSF: getSharedFlow
G: Get             GIP: getIamPolicy
L: List            GS: getStats
U: Update          SIP: setIamPolicy
DP: Deploy         UN: Undeploy
M: Manage
*: All
-: Not available/none

Note that no roles have permissions to create or delete an Apigee organization. Only Apigee can create or delete an organization.

In addition to the Apigee roles, you also apply GCP roles such as Logs Writer and Storage Object Admin to your users. For example, Apigee recommends that you assign these roles to service accounts, as described in Step 6: Add service accounts.