Users and roles

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

A user represents an authenticated account that can access an organization and the entities within that organization, such as the environments, API proxies, and keystores.

To add a new user to your Apigee organization, you grant access to the user's account, first in the Cloud project and then in the Apigee UI. (This document uses the terms user and user account interchangeably.)

When you add a new user, you typically:

  1. In the Console, assign the new user to one or more roles in your Cloud project. This gives the user broad access to all environments in the organization.

    For more information, see Managing access in the Console.

  2. In the Apigee UI, grant additional user roles in one or more environments in your Apigee organization. Note that environment-scoped user roles do not supersede roles granted at the Google Cloud level; they are additive.

    For more information, see Manage users in the Apigee UI.

About roles

The capabilities that you grant to the user account depend on the type of role that you assign to them. A role is a collection of permissions. You cannot grant a permission to the user directly. Instead, you grant them a role. For example, you might assign a developer to the role of API Admin so that they can create API proxies, KVM, and shared flows. For someone that will deploy proxies, you might assign them to the role of Environment Admin, which grants them the ability to deploy and undeploy API proxy revisions. For details about all Apigee roles, see Apigee roles.

Additionally, the resources that a user can access based on their role depends on where you assigned the role:

  • Google Cloud project - If you assign a role in the Console (on the Google Cloud project), then the user can access all Apigee resources—all environments and resources within those environments—in that role. This is because the Cloud project is the parent of the Apigee UI in the resource hierarchy; the permissions set on the parent (the Cloud project) are inherited by all children (environments). You can refine this access by specifying user roles on a per environment basis in the Apigee UI.

    Access control in Google Cloud Platform is controlled by Identity and Access Management (IAM). IAM lets you set permissions specifying who has what kind of access to which resources in your project. For more information, see Concepts related to identity.

    Users are a type of principal, a broad term that refers to an identity that can be granted access to resources. Other types of Cloud principals include service accounts, Google groups, and G Suite domains. For more information, see this overview of Cloud Identity and Access Management.

  • Environment access - Granting a user role for a specific environment does not supersede roles set at the Google Cloud project level. At the environment level, roles granted to a user are represented as a union with any Cloud roles assigned to the user.

For example, if you define a user as an API Admin on the Cloud project, then that user will have access—as an API Admin— to all environments in your organization.

Role recommendations

Apigee recommends that you do the following for each new user account that you add. (When adding super users or administrators, this is not necessary.):

  1. In the Console, add the new user account and select a role that has a minimal set of permissions. For example, set the role of a new user to API Admin.
  2. In the Apigee UI's Environment Access view, add the user and set any additional user roles for each environment in the organization as described in Manage users. Note that environment-scoped roles set in the Apigee UI do not supersede roles set at the Google Cloud level, they are additive.