Apigee roles

This section describes the Apigee-specific roles that you commonly assign to your users. These are not the same roles that you assign to service accounts, which are described in Create service accounts.

Apigee-specific roles

Apigee provides a set of pre-defined (or curated) roles called Apigee roles. In general, all pre-defined Apigee roles can:

  • Get and list organizations
  • Get and list environments (most but not all roles)
  • Get and list projects

The following table describes the general set of permissions for the curated roles have:

Pre-Defined Role Name Description Permissions
Analytics Editor Creates and analyzes reports on API proxy traffic for an Apigee organization. Can edit the following:
  • Queries
  • Reports
Analytics Viewer Views analytics data for an organization. Can get environment stats.
API Creator A developer that creates and tests API proxies. Has read access to the following:
  • API products
  • Apps

Can edit:

  • API proxies
  • Shared flows
  • Key Value Maps (KVMs)
Deployer Deploys and undeploys API proxies to the runtime. Has read access to the following:
  • API products
  • Apps
  • API proxies

Can edit:

  • Flow hooks
  • Keystores
  • KVMs
  • Shared flows
  • Target servers

Can also deploy and undeploy API proxy revisions.

Developer Admin. Manages developer access to apps. Has read access to the following:
  • API products

Can edit:

  • App keys
  • Companies
  • Company apps
  • Developer apps
  • Developers
Org Admin. A super user that has full access to all Apigee resources in the Apigee organization. Can access all available actions for all APIs. This is the only role that can create, delete, or update organizations, as described in Step 3: Enable APIs.
Read Only Admin. An administrator who can run reports and view everything in the Apigee organization without the ability to create or change anything. Has read access to all Apigee resources within the Apigee organization.

Your GCP project’s service account is assigned this role during setup and installation.

The next section shows specific permissions for each of these roles per API.

Apigee role permissions

The following table lists the specific permissions for each role:

Apigee Role ("Apigee ...")
Apigee API
(apigee.*)
Org Admin. Read Only Admin. API Creator Deployer Developer Admin. Analytics Viewer Analytics Editor
apiproducts * G,L G,L G,L G,L - -
apiproductsattributes * G,L G,L G,L G,L - -
appkeys * G,L - - G,C,M,D - -
apps * G,L G,L G,L - - -
companies * G,L - - G,L,C,U - -
companyapps * G,L - - G,L,C,U - -
deployments * G,L - * - - -
developerappattributes * G,L - - * - -
developerapps * G,L - - * - -
developerattributes * G,L - - * - -
developers * G,L - - * - -
environments * G,L,GS,GIP,GDL G,L,GS G,L,GS,GIP,SIP G,GS GS G,GS
flowhooks * G,L,GSF - * - - -
keystorealiases * G,L - * - - -
keystores * G,L * - - -
keyvaluemaps * G,L L,C,D * - - -
oauth2accesstokens * G,L - - - - -
oauth2authorizationcodes * G,L - - - - -
oauth2refreshtokens * G,L - - - - -
organizations * G,L G,L G,L G,L G,L G,L
proxies * G,L G,L,C,D G,L - - -
proxyrevisions * G,L G,L,U,D G,L,DP,UN - - -
queries * G,L - - - - G,L,C
reports * G,L - - - - G,L,C,U,D
sharedflowrevisions * G,L * * - - -
sharedflows * G,L G,L,C,D * - - -
targetservers * G,L - * - - -
resourcemanager.projects G,L,GIP G,L,GIP G,L G,L,GIP G,L,GIP G,L G,L
KEY:
C: Create          GDL: getDataLocation          M: Manage
D: Delete          GSF: getSharedFlow            DP: Deploy
G: Get             GIP: getIamPolicy             UN: Undeploy
L: List            SIP: setIamPolicy             *: All
U: Update          GS:  getStats                 -: Not available/none

In addition to the Apigee roles, you also apply GCP roles such as Logs Writer and Storage Object Admin to your users. For example, Apigee recommends that you assign these roles to service accounts, as described in Create service accounts.