API Connect user roles

The IBM® API Connect solution provides an infrastructure, tools, and facilities that allows users to create, manage, and stage APIs. The ability to perform tasks in the API Connect user interfaces is controlled through user roles, and the permissions that are assigned to those roles.

The roles described here are the default API Connect roles. In the API Manager user interface, you can create custom roles; for more information, see: Creating custom roles. You can also create custom roles in the Developer Portal user interface.

The following sections describe the roles and permissions for each of the API Connect user interfaces:

User roles and permissions in the Cloud Manager UI

The following table describes the Cloud Manager UI user permissions as configured in the base product. Certain roles can edited as indicated In Table 2, and custom roles can be created. For instructions on how to create custom roles for the Admin organization (Cloud Manager users), see Creating roles in the admin organization.
Table 1. Cloud Manager UI permissions
Permission Action Meaning
Cloud Settings View View all items on the Cloud Manager > Settings menu (except Roles)
  Manage Add, update, and delete all items on the Cloud Manager > Settings menu (except Roles)
Member View View members on the members list located at Cloud Manager > Members
  Manage Add and invite members from Cloud Manager > Members
Note: By default, a user with Member > Manage permission can assign, to themselves or to another user, any role with any permission regardless of the permissions that they themselves have. However, you can apply a restriction such that, for a user to assign a role, they must themselves have at least all of the permissions that are applied to that role. To apply that restriction, complete the following steps:
  1. Log in to your management server from the toolkit CLI as a member of the cloud administration organization; for details, see Logging in to management server.
  2. Enter the following command (the terminating hyphen character means that the command takes input from the command line):
    apic cloud-settings:update --server mgmt_endpoint_url -
    where mgmt_endpoint_url is the platform API endpoint URL.
  3. Enter the following data, followed by a new line:
    restrict_member_manage_permission: true
  4. Press CTRL D to terminate the input.
Org View Org:View is a permission assigned to all Roles in Cloud Manager. It does not provide access to any functionality. It allows a user to activate their membership. It is the only permission in the Member role.
Provider-Org View View the list of provider organizations at Cloud Manager > Provider Organizations
  Manage Add, edit, and delete provider organizations and invite owners from Cloud Manager > Provider Organizations
Settings View View the items on the Cloud Manager > Resources menu plus Roles located at Cloud Manager > Settings > Roles
  Manage Add, edit, and delete the items on the Cloud Manager > Resources menu plus Roles located at Cloud Manager > Settings > Roles
Topology View View the items on the Cloud Manager > Topology menu
  Manage Add, edit, and delete the items on the Cloud Manager > Topology menu
The following table lists the various Cloud Manager UI roles and the permissions assigned to them.
Table 2. Cloud Manager UI roles
Role Permissions Actions Default role provides access to Notes
Owner All permissions All actions All menus Cannot be modified or deleted.
Administrator All permissions All actions All menus Can be modified and deleted.
Member Org View Membership activation only Cannot be modified or deleted. Member role is automatically assigned to all users when they activate their membership from the invitation. It allows them to activate but does not provide access to any menus.
Organization Manager Org View N/A Can be modified and deleted.
  Provider-Org View, Manage Provider Organizations menu  
Topology Administrator Org View N/A Can be modified and deleted.
  Topology View, Manage Topology Menu  
  Settings View, Manage Resources menu plus Settings > Roles  
Viewer All permissions View All menus, view only Cannot be modified or deleted.

User roles and permissions in the API Manager UI

The following tables describe the API Manager UI user permissions.

A user with Roles permission can change the permission assignments, and can create custom roles; for more information, see Creating custom roles in the section, Managing your APIs.

Note: In API Manager, the Owner role has full access and cannot be edited or deleted. All other roles, including custom roles, can be deleted. If you delete a role, users lose that role. If a user loses that role, their account remains in API Manager, enabling you to add a role to the user at a future date.
Table 3. Organization permissions
Permissions Action Permits the member to
Member View View organization's members
  Manage Manage organization's members
Note: By default, a user with Member > Manage permission can assign, to themselves or to another user, any role with any permission regardless of the permissions that they themselves have. However, you can apply a restriction such that, for a user to assign a role, they must themselves have at least all of the permissions that are applied to that role. To apply that restriction, complete the following steps:
  1. Log in to your management server from the toolkit CLI as a member of the cloud administration organization; for details, see Logging in to management server.
  2. Enter the following command (the terminating hyphen character means that the command takes input from the command line):
    apic cloud-settings:update --server mgmt_endpoint_url -
    where mgmt_endpoint_url is the platform API endpoint URL.
  3. Enter the following data, followed by a new line:
    restrict_member_manage_permission: true
  4. Press CTRL D to terminate the input.
Settings View View organization's configuration settings, including roles, TLS profiles, and user registries.

View configuration settings for a Catalog or Space, including policies and OpenAPI extensions.

  Manage Manage organization's configuration settings, including roles, TLS profiles, and user registries.

Manage configuration settings for a Catalog or Space, including policies and OpenAPI extensions.

Topology View View topology permissions for configuring portal and gateway services. Also view the clusters.
  Manage Manage topology permissions for configuring portal and gateway services. Also manage the clusters.
Org View View organization
Product-Drafts View View draft APIs and Products
  Edit View draft APIs and edit draft Products
Api-Drafts View View draft APIs
  Edit Edit draft APIs and view draft Products
Product View View Products
  Stage Stage Product
  Manage Manage Product
Product-Approval View View Product lifecycle changes
  Stage Approve the staging of a Product
  Publish Approve the publishing of a Product
  Supersede Approve the superseding of a Product
  Replace Approve the replacement a Product
  Deprecate Approve the deprecation of a Product
  Retire Approve the retiring of a Product
Consumer-Org View View consumer organization and developers
  Manage Manage consumer organization and developers
App View View both production and development applications.
  Manage Manage both production and development applications. A member with this permission can also request the promotion of a development app to a production app. This request triggers a task that needs approval by a member with the App-approval Manage permission.
App-Dev Manage Manage development applications. This permission does not include the ability to manage production apps.
App-Approval View View application approvals, for requests to promote a development app to a production app.
  Manage Manage (Approve or Decline) requests for approval to promote a development app to a production app.
Subscription View View application Plan subscriptions that have been created by application developers in the Developer Portal.
  Manage Manage the application Plan subscriptions that have been created by application developers in the Developer Portal. The Manage permission includes ability to migrate a subscription to another plan.
Subscription-Approval View View application Plan subscription approvals
  Manage Manage (Approve or Decline) application Plan subscriptions
Api-Analytics View View analytics
  Manage Manage analytics
Child View At the provider organization level, view Catalogs in the provider organization. At the Catalog level, view Spaces in the Catalog.
  Create At the provider organization level, create Catalogs in the provider organization. At the Catalog level, create Spaces in the Catalog.
  Manage At the provider organization level, manage Catalogs in the provider organization. At the catalog level, manage Spaces in the Catalog. Management tasks including deleting a Catalog or Space, or transferring ownership of a Catalog or Space.

A user with Settings > Manage permission can change the permission assignments, and can create custom roles; for more information, see Creating custom roles in the section, Managing your APIs.

Table 4. Default API Manager UI roles and the default permissions assigned to those roles.
Role Role description Permissions Actions
Organization Owner A provider organization owner has the full set of access permissions to API Connect functions, and also commission APIs and tracks their business adoption. All permissions All actions.
Administrator A provider organization administrator has, by default, the full set of access permissions to API Connect functions, and also commission APIs and tracks their business adoption. All permissions All actions.
API Administrator API administrators manage the lifecycle of APIs and publish APIs for discovery and use. All permissions All actions except cannot manage the following permissions: Member, Settings, Topology, and Child.
Community Manager A community manager manages the relationship between the provider organization and application developers, provides information about API usage, and provides support to application developers. Member View
    Settings View
    Topology View gateway services or portal services at the provider organization.
    Org View
    Drafts View, Edit
    Product View
    Product-approval View
    Consumer-org View, Manage
    App View, Manage
    App-dev Manage
    App-approval View, Manage
    Subscription View, Manage
    Subscription-approval View, Manage
    Api-analytics View, Manage
    Child View
Developer API developers design and develop APIs and applications for the provider organizations to which they belong.
Note: The Developer role allows the creation of Products and APIs, and the staging and publishing of Products to a Catalog or Space, when assigned to a user at the provider organization level, but not when assigned to a user who is a member only of a Catalog or Space within a provider organization. A Developer in a Catalog or Space can, however, manage Products that have been staged or published to the Catalog or Space.
Member View
    Settings View
    Topology View gateway services or portal services at the provider organization.
    Org View
    Drafts View, Edit
    Product View, Stage, Manage
    Product-approval View, Stage, Publish, Supersede, Replace, Deprecate, Retire
    Consumer-org View
    App View, Manage
    App-dev Manage
    App-approval View, Manage
    Subscription View, Manage
    Subscription-approval View, Manage
    Api-analytics View, Manage
    Child View, Create
Member Member of a provider organization Org View
Viewer Viewer of a provider organization Member View
    Topology View gateway services or portal services at the provider organization.
    Org View
    Drafts View
    Product-approval View
    Consumer-org View
    App View
    App-approval View
    Subscription View
    Subscription-approval View
    Api-analytics View
    Child View
Note: In API Manager, the Organization Owner role has full access and cannot be edited or deleted. All other roles, including custom roles, can be deleted. If you delete a role, users lose that role. If a user loses that role, their account remains in API Manager, enabling you to add a role to the user at a future date.

User roles in the Developer Portal UI

The following table describes the various Developer Portal UI roles that relate to working with APIs and applications. In addition, you can create custom roles for the Developer Portal site itself.
Table 5. Developer Portal UI roles
Role Role Description Permission Actions
Owner Owns and administers the app developer organization Organization member View, Manage
    Organization settings View, Manage
    Organization view View
    Consumer product View
    Consumer app View or Manage production or development applications
    Consumer app-dev Manage development applications
    Consumer subscription View or Manage the application Plan subscriptions that have been created by application developers in the Developer Portal. The Manage permission includes ability to migrate a subscription to another plan.
    Consumer app-analytics View application analytics
Administrator Administers the app developer organization Organization member View, Manage
    Organization settings View, Manage
    Organization View
    Consumer product View
    Consumer app View, Manage production or development applications
    Consumer app-dev Manage development applications
    Consumer subscription View or Manage the application Plan subscriptions that have been created by application developers in the Developer Portal. The Manage permission includes ability to migrate a subscription to another plan.
    Consumer app-analytics View application analytics
Developer Builds and manages apps in the developer organization Organization member View
    Organization View
    Consumer product View
    Consumer app View or Manage production or development applications.
    Consumer app-dev Manage development applications
    Consumer app-analytics View
Member Member of the app developer organization Organization View
Viewer Viewer of the app developer organization Organization member View
    Organization settings View
    Organization View
    Consumer product View
    Consumer app View applications
    Consumer production-app View production applications
    Consumer app-analytics View application analytics
Note: A user called admin is created automatically, that has full administrator access to the Developer Portal site. The admin user can view Products and APIs but has no access to use APIs. The admin user assumes the email address of the owner of the provider organization associated with the Developer Portal.