API Connect user roles
The IBM® API Connect solution provides an infrastructure, tools, and facilities that allows users to create, manage, and stage APIs. The ability to perform tasks in the API Connect user interfaces is controlled through user roles, and the permissions that are assigned to those roles.
The roles described here are the default API Connect roles. In the API Manager user interface, you can create custom roles; for more information, see: Creating custom roles. You can also create custom roles in the Developer Portal user interface.
User roles and permissions in the Cloud Manager UI
Permission | Action | Meaning |
---|---|---|
Cloud Settings | View | View all items on the | menu (except Roles)
Manage | Add, update, and delete all items on the | menu (except Roles)|
Member | View | View members on the members list located at Cloud Manager > Members |
Manage | Add and invite members from Note: By default, a user with
permission can assign, to
themselves or to another user, any role with any permission regardless of the permissions that they
themselves have. However, you can apply a restriction such that, for a user to assign a role, they
must themselves have at least all of the permissions that are applied to that role. To apply that
restriction, complete the following steps:
|
|
Org | View | Org:View is a permission assigned to all Roles in Cloud Manager. It does not provide access to any functionality. It allows a user to activate their membership. It is the only permission in the Member role. |
Provider-Org | View | View the list of provider organizations at |
Manage | Add, edit, and delete provider organizations and invite owners from | |
Settings | View | View the items on the | menu plus Roles located at
Manage | Add, edit, and delete the items on the | menu plus Roles located at|
Topology | View | View the items on the | menu
Manage | Add, edit, and delete the items on the | menu|
Analytics | View | View items on | , and also create, update, duplicate, delete, share, and unshare saved queries.
Role | Permissions | Actions | Default role provides access to | Notes |
---|---|---|---|---|
Owner | All permissions | All actions | All menus | Cannot be modified or deleted. |
Administrator | All permissions | All actions | All menus | Includes analytics:view. |
Member | Org | View | Membership activation only | Cannot be modified or deleted. Member role is automatically assigned to all users when they activate their membership from the invitation. It allows them to activate but does not provide access to any menus. |
Organization Manager | Org | View | N/A | Can be modified and deleted. |
Provider-Org | View, Manage | Provider Organizations menu | ||
Topology Administrator | Org | View | N/A | Can be modified and deleted. |
Topology | View, Manage | Topology Menu | ||
Settings | View, Manage | Resources menu plus | ||
Viewer | All permissions | View | All menus, view only | Cannot be modified or deleted. |
User roles and permissions in the API Manager UI
The following tables describe the API Manager UI user permissions.
A user with Roles permission can change the permission assignments, and can create custom roles; for more information, see Creating custom roles in the section, Managing your APIs.
Permissions | Action | Permits the member to |
---|---|---|
Member | View | View organization's members |
Manage | Manage organization's members Note: By default, a user with
permission can assign, to
themselves or to another user, any role with any permission regardless of the permissions that they
themselves have. However, you can apply a restriction such that, for a user to assign a role, they
must themselves have at least all of the permissions that are applied to that role. To apply that
restriction, complete the following steps:
|
|
Settings | View | View an organization's configuration settings, including roles, TLS profiles, and user
registries. View configuration settings for a Catalog or Space, including policies and OpenAPI extensions. |
Manage | Manage an organization's configuration settings, including roles, TLS profiles, and user
registries. Manage configuration settings for a Catalog or Space, including policies and OpenAPI extensions. |
|
Topology | View | Same permissions as Settings: View . |
Manage | Same permissions as Settings: Manage . |
|
Org | View | View an organization |
Product-Drafts | View | View draft APIs and Products |
Edit | View draft APIs and edit draft Products | |
Api-Drafts | View | View draft APIs |
Edit | Edit draft APIs and view draft Products | |
Product | View | View Products |
Stage | Stage Product | |
Manage | Manage Product | |
Product-Approval | View | View Product lifecycle changes |
Stage | Approve the staging of a Product | |
Publish | Approve the publishing of a Product | |
Supersede | Approve the superseding of a Product | |
Replace | Approve the replacement a Product | |
Deprecate | Approve the deprecation of a Product | |
Retire | Approve the retiring of a Product | |
Consumer-Org | View | View consumer organization and developers |
Manage | Manage consumer organization and developers | |
App | View | View both production and development applications. |
Manage | Manage both production and development applications. A member with this permission can also request the promotion of a development app to a production app. This request triggers a task that needs approval by a member with the App-approval Manage permission. | |
App-Dev | Manage | Same permissions as Settings: Manage . |
App-Approval | View | View application approvals, for requests to promote a development app to a production app. |
Manage | Manage (Approve or Decline) requests for approval to promote a development app to a production app. | |
Subscription | View | View application Plan subscriptions that have been created by application developers in the Developer Portal. |
Manage | Manage the application Plan subscriptions that have been created by application developers in the Developer Portal. The Manage permission includes ability to migrate a subscription to another plan. | |
Subscription-Approval | View | View application Plan subscription approvals. |
Manage | Manage (approve or decline) application Plan subscriptions. | |
Consumer-Onboard-Approval | View | View consumer onboard approvals. |
Manage | Manage (approve or decline) consumer onboard approvals. | |
Api-Analytics | View | View analytics data, as well as access and apply saved analytics queries. |
Manage | In addition to the view permissions, the user can create, update, duplicate, delete, share, and unshare saved analytics queries. | |
Child | View | At the provider organization level, view Catalogs in the provider organization. At the Catalog level, view Spaces in the Catalog. |
Create | At the provider organization level, create Catalogs in the provider organization. At the Catalog level, create Spaces in the Catalog. | |
Manage | At the provider organization level, manage Catalogs in the provider organization. At the catalog level, manage Spaces in the Catalog. Management tasks including deleting a Catalog or Space, or transferring ownership of a Catalog or Space. |
A user with Settings > Manage permission can change the permission assignments, and can create custom roles; for more information, see Creating custom roles in the section, Managing your APIs.
Role | Role description | Permissions | Actions |
---|---|---|---|
Organization Owner | A provider organization owner has the full set of access permissions to API Connect functions, and also commission APIs and tracks their business adoption. | All permissions | All actions. |
Administrator | A provider organization administrator has, by default, the full set of access permissions to API Connect functions, and also commission APIs and tracks their business adoption. | All permissions | All actions. |
API Administrator | API administrators manage the lifecycle of APIs and publish APIs for discovery and use. | All permissions | All actions except cannot manage the following permissions: Member, Settings, Topology, and Child. |
Community Manager | A community manager manages the relationship between the provider organization and application developers, provides information about API usage, and provides support to application developers. | Member | View |
Settings | View | ||
Topology | View gateway services or portal services at the provider organization. | ||
Org | View | ||
Drafts | View, Edit | ||
Product | View | ||
Product-approval | View | ||
Consumer-org | View, Manage | ||
App | View, Manage | ||
App-dev | Manage | ||
App-approval | View, Manage | ||
Subscription | View, Manage | ||
Subscription-approval | View, Manage | ||
Consumer-onboard-approval | View, Manage | ||
Api-analytics | View, Manage | ||
Child | View | ||
Developer | API developers design and develop APIs and applications for the provider organizations to
which they belong. Note: The Developer role allows the creation of Products and APIs, and the staging and publishing of
Products to a Catalog or Space, when assigned to a user at the provider organization level--but not
when assigned to a user who is a member only of a Catalog or Space within a provider organization. A
Developer in a Catalog or Space can manage Products that are staged or published to the Catalog or
Space.
|
Member | View |
Settings | View | ||
Topology | View gateway services or portal services at the provider organization. | ||
Org | View | ||
Drafts | View, Edit | ||
Product | View, Stage, Manage | ||
Product-approval | View, Stage, Publish, Supersede, Replace, Deprecate, Retire | ||
Consumer-org | View | ||
App | View, Manage | ||
App-dev | Manage | ||
App-approval | View, Manage | ||
Subscription | View, Manage | ||
Subscription-approval | View, Manage | ||
Api-analytics | View, Manage | ||
Child | View, Create | ||
Member | Member of a provider organization | Org | View |
Viewer | Viewer of a provider organization | Member | View |
Topology | View gateway services or portal services at the provider organization. | ||
Org | View | ||
Drafts | View | ||
Product-approval | View | ||
Consumer-org | View | ||
App | View | ||
App-approval | View | ||
Subscription | View | ||
Subscription-approval | View | ||
Api-analytics | View | ||
Child | View |
User roles in the Developer Portal UI
Role | Role Description | Permission | Actions |
---|---|---|---|
Owner | Owns and administers the app developer organization | Organization member | View, Manage |
Organization settings | View, Manage | ||
Organization view | View | ||
Consumer product | View | ||
Consumer app | View or Manage production or development applications | ||
Consumer app-dev | Manage development applications | ||
Consumer subscription | View or Manage the application Plan subscriptions that have been created by application developers in the Developer Portal. The Manage permission includes ability to migrate a subscription to another plan. | ||
Consumer app-analytics | View application analytics | ||
Administrator | Administers the app developer organization | Organization member | View, Manage |
Organization settings | View, Manage | ||
Organization | View | ||
Consumer product | View | ||
Consumer app | View, Manage production or development applications | ||
Consumer app-dev | Manage development applications | ||
Consumer subscription | View or Manage the application Plan subscriptions that have been created by application developers in the Developer Portal. The Manage permission includes ability to migrate a subscription to another plan. | ||
Consumer app-analytics | View application analytics | ||
Developer | Builds and manages apps in the developer organization | Organization member | View |
Organization settings | View | ||
Organization | View | ||
Consumer product | View | ||
Consumer app | View, Manage production or development applications | ||
Consumer app-dev | Manage development applications | ||
Consumer subscription | View or Manage the application Plan subscriptions that have been created by application developers in the Developer Portal. The Manage permission includes ability to migrate a subscription to another plan. | ||
Consumer app-analytics | View | ||
Member | Member of the app developer organization | Organization | View |
Viewer | Viewer of the app developer organization | Organization member | View |
Organization settings | View | ||
Organization | View | ||
Consumer product | View | ||
Consumer app | View applications | ||
Consumer production-app | View production applications | ||
Consumer app-analytics | View application analytics |