API Connect user roles

The IBM® API Connect solution provides an infrastructure, tools, and facilities that allow users to create, manage, and stage APIs. The ability to perform tasks in the API Connect user interfaces is controlled through user roles, and the permissions that are assigned to those roles.

The roles described here are the default API Connect roles. In the API Manager user interface, you can create custom roles; for more information, see: Creating custom roles.

The following sections describe the roles and permissions for each of the API Connect user interfaces:

User roles and permissions in the Cloud Manager UI.
User roles and permissions in the API Manager UI.
User roles in the Developer Portal UI.

The roles are as follows:

The member role is given to any user that is onboarded without another role and is the minimum role that allows the user to log in only.
Owner and Admin roles have all permissions and they cannot be modified.
Custom roles can be created in the Admin organization and in Provider organizations, but not in Consumer organizations.

Note: In Cloud Manager and API Manager, the Owner role has full access and Member role has read only access. Both Owner and Member roles cannot be edited or deleted. All other roles, including custom roles, can be deleted. If a role was removed from the member, the membership for the user still remains in API Connect, enabling you to add a role to the member at a future date.

User roles and permissions in the Cloud Manager UI

The following table describes the Cloud Manager UI user permissions as configured in the base product. Certain roles can edited as indicated in Table 2, and custom roles can be created. For instructions on how to create custom roles for the Admin organization (Cloud Manager users), see Creating roles in the admin organization.

Table 1. Cloud Manager UI permissions
Permission	Action	Description
Cloud Settings	View	View all items in the Cloud Manager > Settings menu including roles and default roles
Cloud Settings	Manage	Manage all items in the Cloud Manager > Settings menu including roles and default roles
Provider organization	View	View the list of provider organizations in the Cloud Manager > Provider organizations menu
Provider organization	Manage	Add, edit, and delete provider organizations and invite owners from the Cloud Manager > Provider organizations menu
Analytics	View	View analytics in the Cloud Manager UI and includes create, update, duplicate, delete, share, and unshare saved queries
Audit	View	View audit events
Settings	View	View roles in the Cloud Manager > Settings > Roles menu
Settings	Manage	Manage roles in the Cloud Manager > Settings > Roles menu which includes configuring Governance
Member	View	View members on the members list in the Cloud Manager > Members
Member	Manage	Add and invite members from the Cloud Manager > Members menu Note: By default, a user with Member > Manage permission can assign to themselves or to another user, any role with any permission regardless of the permissions that they themselves have. However, you can apply a restriction such that, for a user to assign a role, they must themselves have at least all of the permissions that are applied to that role. To apply that restriction, complete the following steps: Log in to your management server from the toolkit CLI as a member of the cloud administration organization; for details, see Logging in to management server. Enter the following command (the terminating hyphen character means that the command takes input from the command line): `apic cloud-settings:update --server mgmt_endpoint_url -` where `mgmt_endpoint_url` is the platform API endpoint URL. Enter the following data, followed by a new line: `restrict_member_manage_permission: true` Press `CTRL D` to terminate the input.
Topology	View	View items in the Cloud Manager > Topology menu
Topology	Manage	Add, edit, and delete the items in the Cloud Manager > Topology menu
Engagement	View	View all items in the Engagement section including rules, tasks, destinations, and engagement configurations. With this permission, you can monitor alert conditions, view notification settings, and track engagement activities across the system.
Engagement	Manage	View and modify all items in the Engagement section including creating, updating, and deleting rules, tasks, destinations, and engagement configurations. With this permission, you can configure alert conditions, set up notification channels, and manage the complete engagement workflow.

The following table lists the various Cloud Manager UI roles and the permissions that are assigned to them.

Table 2. Cloud Manager UI roles
Role	Actions	Provides access to	Description
Administrator	View, Manage	All menus	Administers the admin organization
Owner	View, Manage	All menus	Owns and administers the admin organization
Member	View	Organization	Minimum role. Member role is automatically assigned to any user onboarded without a role. It allows them to login but does not provide access to any menus.
Organization Manager	View, Manage	Organization and provider organization	Manages provider organizations.
Topology Administrator	View	Organization, Topology, and Settings	Administers the cloud topology. This role can only manage Topology and Settings
Viewer	View	All menus	Views the admin organization

User roles and permissions in the API Manager UI

The following tables describe the permissions available in the API Manager UI.

A user with Roles permission can change permission assignments and can create custom roles. For more information, see Creating custom roles in the section, Managing your APIs.

Table 3. Organization permissions
Permissions	Action	Description
App-Approval	View	View application approvals for requests to promote a development application to a production application
App-Approval	Manage	Approve or decline requests to promote a development application to a production application
Subscription	View	View application plan subscriptions created by consumer organizations in the Developer Portal
Subscription	Manage	Manage the application plan subscriptions created by consumer organizations in the Developer Portal Note: The Manage permission includes ability to migrate a subscription to another plan.
Subscription-Approval	View	View application plan subscription approvals
Subscription-Approval	Manage	Approve or decline application plan subscriptions
Consumer-Onboard-Approval	View	View consumer onboarding approvals
Consumer-Onboard-Approval	Manage	Approve or decline consumer onboarding approvals
API-Analytics	View	View analytics data and access saved analytics queries
API-Analytics	Manage	Create, update, duplicate, delete, and share saved analytics queries including view permission
Child	View	View catalogs at the provider organization level and spaces at the catalog level
	Create	Create catalogs in the provider organization level and spaces in the catalog level
	Manage	Manage catalogs at the provider organization level and spaces at the catalog level Note: Management tasks include deleting a catalog or space, or transferring ownership of a catalog or space.
API-Drafts	View	View draft APIs
API-Drafts	Edit	Edit draft APIs and API tests, view draft products, and API testing
API-Agent	All	Use conversational API Agent
Governance-Enforcement-Approval	View	View all items in the Governance enforcement approval tasks section. With this permission, you can view all tasks created as part of governance enforcement flow, that require approval by catalog administrator
Governance-Enforcement-Approval	Manage	View and modify all items in the Governance enforcement approval tasks section. With this permission, you can view and update all tasks (approve or reject) created as part of governance enforcement flow, that require approval by catalog administrator
Product	View	View products
	Stage	Stage products
	Manage	Manage products
Product-Approval	View, Manage	View and manage products, including viewing product lifecycle changes, and performing actions such as: stage manage publish supersede replace deprecate retire
Consumer organization	View	View consumer organizations and developers
Consumer organization	Manage	Manage consumer organizations and developers
App	View	View both production and development applications
App	Manage	Manage both production and development applications Note: A member with this permission can also request the promotion of a development app to a production app. This request triggers a task that needs approval by a member with the App-approval Manage permission.
App-Dev	Manage	View and manage the development applications
Audit	View	View audit events
Settings	View	View an organization's configuration settings, including roles, TLS profiles, and user registries. View configuration settings for a catalog or space, including policies and OpenAPI extensions.
Settings	Manage	Manage an organization's configuration settings, including roles, TLS profiles, user registries, Governance, API tests, and Discovery. Manage configuration settings for a catalog or space, including policies and OpenAPI extensions.
Member	View	View the members of an organization
Member	Manage	Manage the members of an organization Note: By default, a user with Member > Manage permission can assign to themselves or to another user, any role with any permission regardless of the permissions that they themselves have. However, you can apply a restriction such that, for a user to assign a role, they must themselves have at least all of the permissions that are applied to that role. To apply that restriction, complete the following steps: Log in to your management server from the toolkit CLI as a member of the cloud administration organization; for details, see Logging in to management server. Enter the following command (the terminating hyphen character means that the command takes input from the command line): `apic cloud-settings:update --server mgmt_endpoint_url -` where `mgmt_endpoint_url` is the platform API endpoint URL. Enter the following data, followed by a new line: `restrict_member_manage_permission: true` Press `CTRL D` to terminate the input.
Engagement	View	View all items in the Engagement section including rules, tasks, destinations, and engagement configurations. With this permission, you can monitor alert conditions, view notification settings, and track engagement activities across the system.
Engagement	Manage	View and modify all items in the Engagement section including creating, updating, and deleting rules, tasks, destinations, and engagement configurations. With this permission, you can configure alert conditions, set up notification channels, and manage the complete engagement workflow.
Product-Drafts	View	View draft APIs and products
Product-Drafts	Edit	View draft APIs and edit draft products

A user with Settings > Manage permission can change the permission assignments, and can create custom roles; for more information, see Creating custom roles in the section, Managing your APIs.

Table 4. Default API Manager UI roles and the default permissions assigned to those roles.
Role	Action	Provides access to	Description
Administrator	View, Manage	All menus	Administers the API provider organization
API Agent User	View	All menus	By default, an API Agent chat user has only view permission. To perform all actions for the API Agent, you need to have the API-Agent permission
Owner	View, Manage	All menus	Owns and administers the API provider organization
Viewer	View	All menus	Views the API provider organization
API Administrator	View, Manage	All menus, but cannot manage the following: Member, Settings, Topology, Organization, and Child	Manages the lifecycle of APIs and publish APIs for discovery and use
Community Manager	View, Manage	All menus, but cannot manage the following: Member, Settings, Topology, Organization, Product, Product-Approval, and Child	Manages the relationship between the provider organization and consumer organizations, provides information about API usage, and provides support to consumer organizations
Member	View	Organization	Minimum role. Member role is automatically assigned to any user onboarded without a role. It allows them to login but does not provide access to any menus
Developer	View, Manage	All menus, but cannot manage the following: Menu, Settings, Topology, and Org. For product and Product-Approval the developer role can do the following actions: view, stage, publish, supersede, replace, deprecate, retire, and archive	API developers design and develop APIs and applications for the provider organizations to which they belong. Note: The developer role allows the creation of products and APIs, and the staging and publishing of products to a catalog or space, when assigned to a user at the provider organization level but not when assigned to a user who is a member only of a catalog or space within a provider organization. A developer in a catalog or space can manage products that are staged or published to the catalog or space.

Note: Owners and administrators have the full permission to use API Agent. See API Agent user roles for more information.

User roles in the Developer Portal UI

The following table describes the various Developer Portal UI roles that relate to working with APIs and applications.

Table 5. Developer Portal UI roles
Role	Action	Provides access to	Description
Owner	View, Manage	Organization member	Owns and administers the consumer organization. Can view or manage the application plan subscriptions created within the organization. The manage permission includes migrating a subscription to another plan.
	View, Manage	Organization settings
	View	Organization view
	View	Consumer product
	View, Manage production or development applications	Consumer application
	Manage development application	Consumer organizations
	View, Manage production or development applications	Consumer subscription
	View	Consumer application analytics
Administrator	View, Manage	Organization member	Administers the consumer organization. Can view or manage the application plan subscriptions created within the organization. The manage permission includes the ability to migrate a subscription to another plan.
	View, Manage	Organization settings
	View	Organization
	View	Consumer product
	View, Manage production or development applications	Consumer application
	Manage development applications	Consumer organizations
	View, Manage	Consumer subscription
	View application analytics	Consumer application analytics
Viewer	View	Organization member	Viewer of the consumer organization
	View	Organization settings
	View	Organization
	View	Consumer product
	View applications	Consumer application
	View production applications	Consumer production application
	View application analytics	Consumer application analytics
Developer	View	Organization member	Builds and manages applications within the consumer organization. Can view or manage application plan subscriptions created within the organization. The manage permission includes migrating a subscription to another plan.
	View	Organization settings
	View	Organization
	View	Consumer product
	View, Manage production or development applications	Consumer application
	Manage development applications	Consumer organizations
	View, Manage	Consumer subscription
	View application analytics	Consumer application analytics
Member	View	Organization	Member of the consumer organization

Note: A user who is called admin is created automatically, with full administrator access to the Developer Portal site. The admin user can view products and APIs but has no access to use APIs. The admin user assumes the email address of the owner of the provider organization that is associated with the Developer Portal.