API Connect user roles

The IBM® API Connect solution provides an infrastructure, tools, and facilities that allows users to create, manage, and stage APIs. The ability to perform tasks in the IBM API Connect user interfaces is controlled through user roles, and the permissions that are assigned to those roles.

The roles described here are the default API Connect roles. In the API Manager user interface, you can create custom roles; for more information, see: Creating custom roles. You can also create custom roles in the Developer Portal user interface; for more information, see Working with roles in the Developer Portal.

The following sections describe the roles and permissions for each of the IBM API Connect user interfaces:

User roles and permissions in the Cloud Manager UI

The following table describes the Cloud Manager UI user permissions.
Table 1. Cloud Manager UI permissions
Permission Action Meaning
Analytics View View the cloud analytics data
Services View View management and gateway services and servers
  Edit Add, edit, and delete management and gateway services and servers
Organizations View View provider organizations
  Edit Add, update, and delete provider organizations and their owners
Users View View Cloud Manager users
  Edit Add, update, and delete Cloud Manager users
TLS Profiles View View SSL identities
  Edit Add, update, and delete SSL identities
User Registries View View user registries
  Edit Add. update, and delete user registries
Settings View View the cloud settings
  Edit Edit the cloud settings
The following table lists the various Cloud Manager UI roles, and the permissions assigned to them.
Table 2. Cloud Manager UI roles
Role Permissions Actions
Cloud Owner All permissions All actions
Cloud Administrator Analytics View
  Services View, Manage
  Users View, Manage
  TLS Profiles View, Manage
  User Registries View, Manage
  Settings View, Manage
Organization Manager Organizations View, Manage
Topology Administrator Analytics View
  Services View, Manage
  TLS Profiles View, Manage
  User Registries View, Manage
  Settings View, Manage
Note: An additional role, System, provides all permissions for the Cloud Manager user interface and, in addition, provides REST access to all APIs but not to the API Manager or Developer Portal user interface themselves.

User roles and permissions in the API Manager UI

The following tables describe the API Manager UI user permissions.

[V5.0.4 and earlier]
Table 3. API Manager UI permissions
Permission Action Meaning
Roles View View the roles editing page
  Edit Create, edit, and delete roles in the roles editing page
Users View View organization users
  Edit Add, update, and delete organization users
TLS Profiles View View SSL Identities
  Edit Create, edit, and delete SSL Identities
User Registries View View user registries
  Edit Create, edit, and delete user registries
Draft APIs View View draft APIs
  Edit Create, update, and delete draft APIs
Draft Products View View Products
  Edit Create, update, and delete draft Products
Subscriptions View View Plan subscriptions
  Approve Approve Plan subscriptions
Catalog Administration View View Catalogs
  Edit Create, edit, and delete Catalogs
Developers View View developers and developer organizations
  Manage Add, update, and delete developers and developer organizations
Analytics View View Catalog analytics
A user with Roles permission can change the permission assignments, and can create custom roles; for more information, see Creating custom roles.
[V5.0.4 and earlier]
Table 4. Default API Manager UI roles and the default permissions assigned to those roles.
Role Permissions Actions
Owner All permissions All actions
Administrator All permissions All actions
Product Manager Users View
  TLS Profiles View
  User Registries View
  Draft APIs View, Edit
  Draft Products View, Edit
  Subscriptions View, Approve
  Catalog Administration View
  Developers View, Manage
  Analytics View
API Developer Users View
  TLS Profiles View
  User Registries View
  Draft APIs View, Edit
  Draft Products View, Edit
  Subscriptions View
  Analytics View
Publisher Users View
  TLS Profiles View
  User Registries View
  Draft APIs View
  Draft Products View
  Subscriptions View, Approve
  Catalog Administration View, Edit
  Developers View
  Analytics View
Note: In API Manager, the Owner role has full access and cannot be edited or deleted. All other roles, including custom roles, can be deleted. If you delete a role, users lose that role. If a user loses that role, their account remains in API Manager, enabling you to add a role to the user at a future date.
[V5.0.5 or later]
Table 5. Organization permissions
Permissions Action Permits the member to
Draft APIs View View draft APIs
  Edit Edit draft APIs
Organization Settings View View organization's configuration settings, including roles, TLS profiles, and user registries
  Manage Manage organization's configuration settings, including roles, TLS profiles, and user registries
Catalogs Create Create Catalogs in the organization; the creator of a Catalog owns that Catalog and has full administration permissions, including deletion of the Catalog
  View View all Catalogs in the organization
  Manage Manage all Catalogs in the organization; this includes permission to delete any Catalog
Draft Products View View draft Products
  Edit Edit draft Products
Organization Members View View organization's members
  Manage Manage organization's members

A user with Organization Settings > Manage permission can change the permission assignments, and can create custom roles; for more information, see Creating custom roles.

[V5.0.5 or later]
Table 6. Catalog permissions
Permissions Action Permits the member to
Catalog Members View View Catalog members
  Manage Manage Catalog members
Catalogs Settings View View the Catalog's configuration settings, including policies and OpenAPI (Swagger 2.0) extensions
  Manage Manage the Catalog's configuration settings, including policies and OpenAPI (Swagger 2.0) extensions
Subscriptions View View subscriptions
  Manage Manage subscriptions
API Products Stage Stage Products in a Catalog
  View View Products in a Catalog
  Manage Manage Products in a Catalog
Subscription Approvals View View subscription approvals
  Manage Manage subscription approvals
[V5.0.7 or later]Subscription and Application Approvals [V5.0.7 or later]View [V5.0.7 or later]View subscription and application upgrade approvals
[V5.0.7 or later]  [V5.0.7 or later]Manage [V5.0.7 or later]Manage subscription and application upgrade approvals
Analytics View View analytics
  Manage Manage analytics
Applications View View applications
  Manage Manage applications
Developer Organizations and Developers View View developer organizations and developers
  Manage Manage developer organizations and developers
Product Lifecycle Approvals View View Product lifecycle changes
  Stage Stage Products
  Publish Publish Products
  Deprecate Deprecate Products
  Retire Retire Products
  Replace Replace Products
  Supersede Supersede Products
Spaces Create Create Spaces
  View View Spaces
  Manage Manage Spaces
[V5.0.5 or later]
Table 7. Space permissions
Permissions Action Permits the member to
Space Members View View Space members
  Manage Manage Spaces members
Spaces Settings View View the Space configuration settings
  Manage Manage the Space configuration settings
Subscriptions View View subscriptions
  Manage Manage subscriptions
API Products Stage Stage Products in a Space
  View View Products in a Space
  Manage Manage Products in a Space
Subscription Approvals View View subscription approvals
  Manage Manage subscription approvals
[V5.0.7 or later]Subscription and Application Approvals [V5.0.7 or later]View [V5.0.7 or later]View subscription and application upgrade approvals
[V5.0.7 or later]  [V5.0.7 or later]Manage [V5.0.7 or later]Manage subscription and application upgrade approvals
Analytics View View analytics
  Manage Manage analytics
Applications View View applications
  Manage Manage applications
Developer Organizations and Developers View View developer organizations and developers
  Manage Manage developer organizations and developers
Product Lifecycle Approvals View View Product lifecycle changes
  Stage Stage Products
  Publish Publish Products
  Deprecate Deprecate Products
  Retire Retire Products
  Replace Replace Products
  Supersede Supersede Products
[V5.0.5 or later]
Table 8. Default API Manager UI roles and the default permissions assigned to those roles.
Role Component Permissions Actions
Organization Owner All All permissions All actions
Catalog Owner All All permissions All actions
Space Owner All All permissions All actions
Administrator All All permissions All actions
Product Manager Organization Draft APIs View, Edit
    Organization Settings View
    Catalogs View
    Draft Products View, Edit
    Organization Members View
  Catalog Catalog Members View
    Catalog Settings View
    Subscriptions View, Manage
    API Products View
    Subscription Approvals View, Manage
[V5.0.7 or later]  [V5.0.7 or later]  [V5.0.7 or later]Subscription and Application Approvals [V5.0.7 or later]View, Manage
    Analytics View, Manage
    Applications View, Manage
    Developer Organizations and Developers View, Manage
    Product Lifecycle Approvals View
    Spaces None
  Space Space Members View
    Spaces Settings View
    Subscriptions View, Manage
    API Products View
    Subscription Approvals View, Manage
[V5.0.7 or later]  [V5.0.7 or later]  [V5.0.7 or later]Subscription and Application Approvals [V5.0.7 or later]View, Manage
    Analytics View, Manage
    Applications View, Manage
    Developer Organizations and Developers View, Manage
    Product Lifecycle Approvals View
API Developer Organization Draft APIs View, Edit
    Organization Settings View
    Catalogs Create, View
    Draft Products View, Edit
    Organization Members View
  Catalog Catalog Members View
    Catalog Settings View
    Subscriptions View
    API Products Stage, View, Manage
    Subscription Approvals View
[V5.0.7 or later]  [V5.0.7 or later]  [V5.0.7 or later]Subscription and Application Approvals [V5.0.7 or later]View
    Analytics View
    Applications View
    Developer Organizations and Developers View
    Product Lifecycle Approvals View
    Spaces None
  Space Space Members View
    Spaces Settings View
    Subscriptions View
    API Products Stage, View, Manage
    Subscription Approvals View
[V5.0.7 or later]  [V5.0.7 or later]  [V5.0.7 or later]Subscription and Application Approvals [V5.0.7 or later]View
    Analytics View
    Applications View
    Developer Organizations and Developers View
    Product Lifecycle Approvals View
API Administrator Organization Draft APIs View
    Organization Settings View
    Catalogs Create, View
    Draft Products View
    Organization Members View
  Catalog Catalog Members View, Manage
    Catalog Settings View, Manage
    Subscriptions View, Manage
    API Products Stage, View, Manage
    Subscription Approvals View, Manage
[V5.0.7 or later]  [V5.0.7 or later]  [V5.0.7 or later]Subscription and Application Approvals [V5.0.7 or later]View, Manage
    Analytics View, Manage
    Applications View, Manage
    Developer Organizations and Developers View
    Product Lifecycle Approvals View, Stage, Publish, Deprecate, Retire, Replace, Supersede
    Spaces None
  Space Space Members View
    Spaces Settings View
    Subscriptions View
    API Products Stage, View, Manage
    Subscription Approvals View
[V5.0.7 or later]  [V5.0.7 or later]  [V5.0.7 or later]Subscription and Application Approvals [V5.0.7 or later]View
    Analytics View
    Applications View
    Developer Organizations and Developers View
    Product Lifecycle Approvals View
Note: In API Manager, the Organization Owner role has full access and cannot be edited or deleted. All other roles, including custom roles, can be deleted. If you delete a role, users lose that role. If a user loses that role, their account remains in API Manager, enabling you to add a role to the user at a future date.

User roles in the Developer Portal UI

The following table describes the various Developer Portal UI roles that relate to working with APIs and applications. In addition, you can create custom roles for the Developer Portal site itself; for more information, see Working with roles in the Developer Portal.
Table 9. Developer Portal UI roles
Role Tasks that can be performed
Developer Organization Owner
  • Invite other users to join the developer organization
  • Change the developer organization name
  • View and create applications
  • View Products and APIs
  • View subscriptions and subscribe to use APIs
  • Use the Developer Portal test tool
  • [V5.0.8 or later]Enter your credit card transaction processing information to receive payments for subscription plans.
App Developer
  • View and create applications
  • View Products and APIs
  • View subscriptions and subscribe to use APIs
  • Use the Developer Portal test tool
Viewer
  • View applications
  • View Products and APIs
  • View subscriptions
  • Use the Developer Portal test tool
Note: A user called admin is created automatically, that has full administrator access to the Developer Portal site. The admin user can view Products and APIs but has no access to use APIs. The admin user assumes the email address of the owner of the provider organization associated with the Developer Portal.