This section describes the Apigee-specific roles that you commonly assign to your users. These are not the same roles that you assign to service accounts, which are described in Create service accounts.
Apigee-specific roles
Apigee provides a set of pre-defined (or curated) roles called Apigee roles. In general, all pre-defined Apigee roles can:
- Get and list organizations
- Get and list environments (most but not all roles)
- Get and list projects
The following table describes the general set of permissions for the curated roles have:
| Pre-Defined Role Name | Description | Permissions |
|---|---|---|
| Analytics Editor | Creates and analyzes reports on API proxy traffic for an Apigee organization. | Can edit the following:
|
| Analytics Viewer | Views analytics data for an organization. | Can get environment stats. |
| API Creator | A developer that creates and tests API proxies. | Has read access to the following:
Can edit:
|
| Deployer | Deploys and undeploys API proxies to the runtime. | Has read access to the following:
Can edit:
Can also deploy and undeploy API proxy revisions. |
| Developer Admin. | Manages developer access to apps. | Has read access to the following:
Can edit:
|
| Org Admin. | A super user that has full access to all Apigee resources in the Apigee organization. | Can access all available actions for all APIs. This is the only role that can create, delete, or update organizations, as described in Step 3: Enable APIs. |
| Read Only Admin. | An administrator who can run reports and view everything in the Apigee organization without the ability to create or change anything. | Has read access to all Apigee resources within the Apigee organization.
Your GCP project’s service account is assigned this role during setup and installation. |
The next section shows specific permissions for each of these roles per API.
Apigee role permissions
The following table lists the specific permissions for each role:
| Apigee Role ("Apigee ...") | ||||||||
|---|---|---|---|---|---|---|---|---|
| Apigee API
( apigee.*)
|
Org Admin. | Read Only Admin. | API Creator | Deployer | Developer Admin. | Analytics Viewer | Analytics Editor | |
apiproducts |
* | G,L | G,L | G,L | G,L | - | - | |
apiproductsattributes |
* | G,L | G,L | G,L | G,L | - | - | |
appkeys |
* | G,L | - | - | G,C,M,D | - | - | |
apps |
* | G,L | G,L | G,L | - | - | - | |
companies |
* | G,L | - | - | G,L,C,U | - | - | |
companyapps |
* | G,L | - | - | G,L,C,U | - | - | |
deployments |
* | G,L | - | * | - | - | - | |
developerappattributes |
* | G,L | - | - | * | - | - | |
developerapps |
* | G,L | - | - | * | - | - | |
developerattributes |
* | G,L | - | - | * | - | - | |
developers |
* | G,L | - | - | * | - | - | |
environments |
* | G,L,GS,GIP,GDL | G,L,GS | G,L,GS,GIP,SIP | G,GS | GS | G,GS | |
flowhooks |
* | G,L,GSF | - | * | - | - | - | |
keystorealiases |
* | G,L | - | * | - | - | - | |
keystores |
* | G,L | * | - | - | - | ||
keyvaluemaps |
* | G,L | L,C,D | * | - | - | - | |
oauth2accesstokens |
* | G,L | - | - | - | - | - | |
oauth2authorizationcodes |
* | G,L | - | - | - | - | - | |
oauth2refreshtokens |
* | G,L | - | - | - | - | - | |
organizations |
* | G,L | G,L | G,L | G,L | G,L | G,L | |
proxies |
* | G,L | G,L,C,D | G,L | - | - | - | |
proxyrevisions |
* | G,L | G,L,U,D | G,L,DP,UN | - | - | - | |
queries |
* | G,L | - | - | - | - | G,L,C | |
reports |
* | G,L | - | - | - | - | G,L,C,U,D | |
sharedflowrevisions |
* | G,L | * | * | - | - | - | |
sharedflows |
* | G,L | G,L,C,D | * | - | - | - | |
targetservers |
* | G,L | - | * | - | - | - | |
resourcemanager.projects |
G,L,GIP | G,L,GIP | G,L | G,L,GIP | G,L,GIP | G,L | G,L | |
KEY:C: Create GDL: getDataLocation M: Manage D: Delete GSF: getSharedFlow DP: Deploy G: Get GIP: getIamPolicy UN: Undeploy L: List SIP: setIamPolicy *: All U: Update GS: getStats -: Not available/none |
||||||||
In addition to the Apigee roles, you also apply GCP roles such as Logs Writer and Storage Object Admin to your users. For example, Apigee recommends that you assign these roles to service accounts, as described in Create service accounts.