Edge for Private Cloud v. 4.16.05
The Apigee documentation site has extensive information on managing user roles and permissions. Users can be managed using both the Edge UI and the Management API; roles and permissions can be managed only with the Management API.
For information on users and creating users, see:
Many of the operations that you perform to manage users requires system administrator privileges. In a Cloud based installation of Edge, Apigee functions in the role of system administrator. In an Edge for the Private Cloud installation, your system administrator must perform these tasks as described below.
Adding a user
You can create a user either by using the Edge API, the Edge UI, or Edge commands. This section describes how to use Edge API and Edge commands. For information on creating users in the Edge UI, see Creating global users.
After you create the user in an organization, you must assign a role to the user. Roles determine the access rights of the user on Edge.
Use the following command to create a user with the Edge API:
curl -H "Content-Type:application/xml" -u <sysAdminEmail>:<passwd> \ -X POST http://<ms_IP>:8080/v1/users \ -d '<User> \ <FirstName>New</FirstName> \ <LastName>User</LastName> \ <Password>newUserPWord</Password> \ <EmailId>foo@bar.com</EmailId> \ </User>'
Or use the following Edge command to create a user:
> /<inst_root>/apigee/apigee-service/bin/apigee-service apigee-provision create-user -f configFile
Where the configFile contain the information necessary to create the user:
APIGEE_ADMINPW=sysAdminPW # If omitted, you will be prompted. USER_NAME=foo@bar.com FIRST_NAME=New LAST_NAME=User USER_PWD="newUserPWord" ORG_NAME=myorg
You can then use this call to view information about the user:
curl -u <sysAdminEmail>:<passwd> http://<ms_IP>:8080/v1/users/foo@bar.com
Assigning the user to a role in an organization
Before a new user can do anything, they have to be assigned to a role in an organization. You can assign the user to different roles, including: orgadmin, businessuser, opsadmin, user, or to a custom role defined in the organization.
Assigning a user to a role in an organization automatically adds that user to the organization. Assign a user to multiple organizations by assigning them to a role in each organization.
Use the following command to assign the user to a role in an organization:
curl -X POST -H "Content-Type:application/x-www-form-urlencoded" / http://<ms_IP>:8080/v1/o/<org_name>/userroles/<role>/users?id=foo@bar.com / -u <sysAdminEmail>:<passwd>
You can view the user's roles by using the following command:
curl -u <sysAdminEmail>:<passwd> / http://<ms_IP>:8080/v1/users/foo@bar.com/userroles
To remove a user from an organization, remove all roles in that organization from the user. Use the following command to remove a role from a user:
curl -X DELETE -u <sysAdminEmail>:<passwd> http://<ms_IP>:8080/v1/o/<org_name>/userroles/<role>/users/foo@bar.com
Adding a system administrator
A system administrator can:
- Create orgs
- Add Routers, Message Processors, and other components to an Edge installation
- Configure TLS/SSL
- Create additional system administrators
- Perform all Edge administrative tasks
While only a single user is the default user for administrative tasks, there can be more than one system administrator. Any user who is a member of the sysadmin role has full permissions to all resources.
You can create the user for the system administrator in either the Edge UI or API. However, you must use the Edge API to assign the user to the role of sysadmin. Assigning a user to the sysadmin role cannot be done in the Edge UI.
To add a system administrator:
- Create a user in the Edge UI or API.
- Add user to sysadmin
role:
curl -u <sysAdminEmail>:<passwd> \
-X POST http://<ms_IP>:8080/v1/userroles/sysadmin/users \
-d 'id=foo@bar.com' - Make sure new user is in sysadmin role:
curl -u <sysAdminEmail>:<passwd> http://<ms_IP>:8080/v1/userroles/sysadmin/users
Returns the user's email address:
[ " foo@bar.com " ] - Check permissions of new user:
curl -u <sysAdminEmail>:<passwd> http://<ms_IP>:8080/v1/users/foo@bar.com/permissions
Returns:
{
"resourcePermission" : [ {
"path" : "/",
"permissions" : [ "get", "put", "delete" ]
} ]
} - After you add the new system administrator, you can add the user to any orgs.
Note: The new system administrator user cannot log in to the Edge UI until you add the user to at least one org. - If you later want to remove the user from the system administrator role, you can use the
following API:
curl -X DELETE -u <sysadminEmail:pword>
http://<ms_IP>:8080/v1/userroles/sysadmin/users/foo@bar.com
Note that this call only removes the user from the role, it does not delete the user.
Specifying the email domain of a system administrator
As an extra level of security, you can specify the required email domain of an Edge system administrator. When adding a system administrator, if the user's email address is not in the specified domain, then adding the user to the sysadmin role fails.
By default, the required domain is empty, meaning you can add any email address to the sysadmin role.
To set the email domain:
- Open in an editor management-server.properties:
vi /<inst_root>/apigee/customer/application/management-server.properties
If this file does not exist, create it. - Set the conf_security_rbac.global.roles.allowed.domains
property to the comma-separated list of allowed domains. For example:
conf_security_rbac.global.roles.allowed.domains=myCo.com,yourCo.com - Save your changes.
- Restart the Edge Management Server:
/<inst_root>/apigee/apigee-service/bin/apigee-service edge-management-server restart
If you now attempt to add a user to the sysadmin role, and the email address of the user is not in one of the specified domains, the add fails.
Deleting a user
You can create a user either by using the Edge API or the Edge UI. However, you can only delete a user by using the API.
To see the list of current users, including email address, use the following cURL command:
curl -u <sysAdminEmail>:<passwd> http://<ms-IP>:8080/v1/users
Use the following cURL command to delete a user:
curl -u <sysAdminEmail>:<passwd> -X DELETE http://<ms-IP>:8080/v1/users/<userEmail>