API Connect user roles

The IBM® API Connect solution provides an infrastructure, tools, and facilities that allow users to create, manage, and stage APIs. The ability to perform tasks in the API Connect user interfaces is controlled through user roles, and the permissions that are assigned to those roles.

The roles described here are the default API Connect roles. In the API Manager user interface, you can create custom roles; for more information, see: Creating custom roles. You can also create custom roles in the Developer Portal user interface.

The following sections describe the roles and permissions for each of the API Connect user interfaces:

User roles in the Cloud Manager UI.
User roles in the API Manager UI.
User roles in the Developer Portal UI.

User roles and permissions in the Cloud Manager UI

The following table describes the Cloud Manager UI user permissions as configured in the base product. Certain roles can edited as indicated in Table 2, and custom roles can be created. For instructions on how to create custom roles for the Admin organization (Cloud Manager users), see Creating roles in the admin organization.

Note: In Cloud Manager, the Owner role has full access and cannot be edited or deleted. All other roles, including custom roles, can be deleted. If a role was removed from the member, the membership for the user still remains in API Connect, enabling you to add a role to the member at a future date.

Table 1. Cloud Manager UI permissions
Permission	Action	Description
Cloud Settings	View	View all items on the Cloud Manager > Settings menu including roles and default roles
Cloud Settings	Manage	Manage all items on the Cloud Manager > Settings menu including roles and default roles
Members	View	View members on the members list at Cloud Manager > Members
Members	Manage	Add and invite members from Cloud Manager > Members Note: By default, a user with Member > Manage permission can assign to themselves or to another user, any role with any permission regardless of the permissions that they themselves have. However, you can apply a restriction such that, for a user to assign a role, they must themselves have at least all of the permissions that are applied to that role. To apply that restriction, complete the following steps: Log in to your management server from the toolkit CLI as a member of the cloud administration organization; for details, see Logging in to management server. Enter the following command (the terminating hyphen character means that the command takes input from the command line): `apic cloud-settings:update --server mgmt_endpoint_url -` where `mgmt_endpoint_url` is the platform API endpoint URL. Enter the following data, followed by a new line: `restrict_member_manage_permission: true` Press `CTRL D` to terminate the input.
Analytics	View	View analytics at Cloud Manager and includes create, update, duplicate, delete, share, and unshare saved queries
Topology	View	View the items on Cloud Manager > Topology menu
Topology	Manage	Add, edit, and delete the items on the Cloud Manager > Topology menu
Resources	View	View all the items on the Cloud Manager > Resources menu
Resources	Manage	Manage all the items available on the Cloud Manager > Resources menu
Org	View	View all roles in Cloud Manager
Settings	View	View roles at Cloud Manager > Settings > Roles menu
Settings	Manage	Manage roles at Cloud Manager > Settings > Roles menu which includes configuring Governance
Provider-org	View	View the list of provider organizations at Cloud Manager > Provider organizations menu
Provider-org	Manage	Add, edit, and delete provider organizations and invite owners from Cloud Manager > Provider organizations menu

The following table lists the various Cloud Manager UI roles and the permissions that are assigned to them.

Table 2. Cloud Manager UI roles
Role	Actions	Default role provides access to	Description
Administrator	View, Manage	All menus	Administers the admin organization
	View, Manage
	View, Manage
	View
	View, Manage
	View, Manage
	View
Owner	View, Manage	All menus	Owns and administers the admin organization
	View, Manage
	View, Manage
	View
	View, Manage
	View, Manage
	View
Member	View	Org	Member role is automatically assigned to any user on boarded without a role. It allows them to login but does not provide access to any menus.
Organization Manager	View	Org	Manages API provider organizations
Organization Manager	View, Manage	Provider-org	Manages API provider organizations
Topology Administrator	View	Org, view only	Administers the cloud topology
	View, Manage	Topology menu
	View, Manage	Settings menu
Viewer	View	All menus	Views the admin organization

User roles and permissions in the API Manager UI

The following tables describe the API Manager UI user permissions.

A user with Roles permission can change the permission assignments, and can create custom roles; for more information, see Creating custom roles in the section, Managing your APIs.

Note: In API Manager, the Owner role has full access and cannot be edited or deleted. All other roles, including custom roles, can be deleted. If a role was removed from the member, the membership for the user still remains in API Connect, enabling you to add a role to the member at a future date.

Table 3. Organization permissions
Permissions	Action	Meaning
Member	View	View organization's members
Member	Manage	Manage organization's members Note: By default, a user with Member > Manage permission can assign to themselves or to another user, any role with any permission regardless of the permissions that they themselves have. However, you can apply a restriction such that, for a user to assign a role, they must themselves have at least all of the permissions that are applied to that role. To apply that restriction, complete the following steps: Log in to your management server from the toolkit CLI as a member of the cloud administration organization; for details, see Logging in to management server. Enter the following command (the terminating hyphen character means that the command takes input from the command line): `apic cloud-settings:update --server mgmt_endpoint_url -` where `mgmt_endpoint_url` is the platform API endpoint URL. Enter the following data, followed by a new line: `restrict_member_manage_permission: true` Press `CTRL D` to terminate the input.
Settings	View	View an organization's configuration settings, including roles, TLS profiles, and user registries. View configuration settings for a Catalog or Space, including policies and OpenAPI extensions.
Settings	Manage	Manage an organization's configuration settings, including roles, TLS profiles, user registries, Governance, API tests, and Discovery. Manage configuration settings for a Catalog or Space, including policies and OpenAPI extensions.
Topology	View	View or manage services associated with the organization, including Gateways, Developer Portal, and Analytics.
Topology	Manage	Manage services associated with the organization, including Gateways, Developer Portal, and Analytics.
Org	View	Activate membership
Product-Drafts	View	View draft APIs and Products
Product-Drafts	Edit	View draft APIs and edit draft Products
Engagement	View
Engagement	Manage
Api-Drafts	View	View draft APIs
Api-Drafts	Edit	Edit draft APIs and API tests, view draft Products, and API testing
Product	View	View product
	Stage	Stage product
	Manage	Manage product
Product-Approval	View	View product lifecycle changes
	Stage	Approve the staging of a product
	Publish	Approve the publishing of a product
	Supersede	Approve the superseding of a product
	Replace	Approve the replacement a product
	Deprecate	Approve the deprecation of a product
	Retire	Approve the retiring of a product
Consumer-Org	View	View consumer organization and developers
Consumer-Org	Manage	Manage consumer organization and developers
App	View	View both production and development applications
App	Manage	Manage both production and development applications. Note: A member with this permission can also request the promotion of a development app to a production app. This request triggers a task that needs approval by a member with the App-approval Manage permission.
App-Dev	Manage	View and manage the development applications
App-Approval	View	View application approvals, for requests to promote a development app to a production app
App-Approval	Manage	Manage (approve or decline) requests for approval to promote a development app to a production app
Subscription	View	View application plan subscriptions that have been created by application developers in the Developer Portal.
Subscription	Manage	Manage the application plan subscriptions that have been created by application developers in the Developer Portal. Note: The Manage permission includes ability to migrate a subscription to another plan.
Subscription-Approval	View	View application Plan subscription approvals.
Subscription-Approval	Manage	Manage (approve or decline) application plan subscriptions.
Consumer-Onboard-Approval	View	View consumer onboard approvals.
Consumer-Onboard-Approval	Manage	Manage (approve or decline) consumer onboard approvals.
Api-Analytics	View	View analytics data, as well as access and apply saved analytics queries.
Api-Analytics	Manage	Create, update, duplicate, delete, and share saved analytics queries including view permission
Child	View	View Catalogs in the provider organization level and Spaces in the Catalog level
	Create	Create Catalogs in the provider organization level and Spaces in the Catalog level
	Manage	Manage Catalogs in the provider organization level and Spaces in the Catalog levelManage Spaces in the Catalog level. Note: Management tasks include deleting a Catalog or Space, or transferring ownership of a Catalog or Space.
API-Agent	All permission	Use conversational API Agent
Governance-Enforcement-Approval	View
Governance-Enforcement-Approval	Manage
Audit	View	View audit events

A user with Settings > Manage permission can change the permission assignments, and can create custom roles; for more information, see Creating custom roles in the section, Managing your APIs.

Table 4. Default API Manager UI roles and the default permissions assigned to those roles.
Role	Role description	Permissions	Actions
Administrator	A provider organization administrator has, by default, the full set of access permissions to API Connect functions, and also commission APIs and tracks their business adoption.	All permissions	All actions
API Agent User	API Agent chat user. An API Agent chat user has only the view permission. With API-Agent permission you can perform all action for API Agent.	Member	All actions for API Agent
Owner	A provider organization who owns and administers has the full set of access permissions to API Connect functions, and also commission APIs and tracks their business adoption.	All permissions	All actions
Viewer	Viewer of a provider organization	All menus	View
Viewer	Viewer of a provider organization	Governance-Enforcement-Approval	View, Manage
API Administrator	API administrators manage the lifecycle of APIs and publish APIs for discovery and use.	Member	View
		Settings	View
		Topology	View
		Org	View
		Engagement	View, Manage
		Product-Drafts	View, Edit
		API-Drafts	View, Edit
		Product	View, Stage, Manage
		Product-Approval	View, Stage, Publish,Supersede, Replace, Deprecate, Retire, Archive
		Consumer-Org	View, Manage
		App	View, Manage
		App-Dev	Manage
		App-Approval	View, Manage
		Subscription	View, Manage
		Subscription-Approval	View, Manage
		Consumer-Onboard-Approval	View, Manage
		API-Analytics	View, Manage
		Child	View, Create
		Governance-Enforcement-Approval	View, Manage
Community Manager	A community manager manages the relationship between the provider organization and application developers, provides information about API usage, and provides support to application developers.	Member	View
		Settings	View
		Topology	View
		Org	View
		Engagement	View, Manage
		Product-Drafts	View, Edit
		API-Drafts	View, Edit
		Product	View
		Product-Approval	View
		Consumer-Org	View, Manage
		App	View, Manage
		App-Dev	Manage
		App-Approval	View, Manage
		Subscription	View, Manage
		Subscription-approval	View, Manage
		Consumer-Onboard-Approval	View, Manage
		Api-Analytics	View, Manage
		Child	View
Developer	API developers design and develop APIs and applications for the provider organizations to which they belong. Note: The Developer role allows the creation of Products and APIs, and the staging and publishing of Products to a Catalog or Space, when assigned to a user at the provider organization level but not when assigned to a user who is a member only of a Catalog or Space within a provider organization. A Developer in a Catalog or Space can manage Products that are staged or published to the Catalog or Space.	Member	View
		Settings	View
		Topology	View
		Org	View
		Product-Drafts	View, Edit
		API-Drafts	View, Edit
		Product	View, Stage, Manage
		Product-approval	View, Stage, Publish, Supersede, Replace, Deprecate, Retire, and Archive
		Consumer-Org	View
		App	View, Manage
		App-Dev	Manage
		App-Approval	View, Manage
		Subscription	View, Manage
		Subscription-Approval	View, Manage
		Api-Analytics	View, Manage
		Child	View, Create
		Governance-Enforcement-Approval	View, Manage
Member	Member of a provider organization	Org	View

Note:

Owners and administrators have the full permission to use API Agent. See API Agent user roles for more information.
In API Manager, the Organization Owner role has full access and cannot be edited or deleted. All other roles, including custom roles, can be deleted. If you delete a role, users lose that role. If a user loses that role, their account remains in API Manager, enabling you to add a role to the user at a future date.

User roles in the Developer Portal UI

The following table describes the various Developer Portal UI roles that relate to working with APIs and applications. In addition, you can create custom roles for the Developer Portal site itself.

Note: In Developer Portal, the Owner role has full access and cannot be edited or deleted. All other roles, including custom roles, can be deleted. If a role was removed from the member, the membership for the user still remains in API Connect, enabling you to add a role to the member at a future date.

Table 5. Developer Portal UI roles
Role	Role Description	Permission	Actions
Owner	Owns and administers the API provider organization	Member	View, Manage
		Settings	View, Manage
		Topology	View, Manage
		Org	View
		Engagement	View, Manage
		Product	View, Stage, Manage
		Product-Approval	View, Stage, Publish, Supersede, Replace, Deprecate, Retire, Archive
		Consumer-Org	View, Manage
		App	View, Manage
		App-Dev	Manage
		App-Approval	View, Manage
		Subscription	View or Manage the application Plan subscriptions that have been created by application developers in the Developer Portal. The Manage permission includes ability to migrate a subscription to another plan.
		Subscription-Approval	View, Manage
		Consumer-Onboard-Approval	View, Manage
		Api-analytics	View, Manage
		Child	View, Create, Manage
		Audit	View
		Governance-Enforcement-Approval	View, Manage
Administrator	Administers the API provider organization	Member	View, Manage
		Settings	View, Manage
		Topology	View, Manage
		Org	View
		Engagement	View, Manage
		Product	View, Stage, Manage
		Product-Approval	View, Stage, Publish, Supersede, Replace, Deprecate, Retire, Archive
		Consumer-Org	View, Manage
		App	View, Manage production, or development applications
		App-Dev	Manage development applications
		App-Approval	View, Manage
		Subscription	View or Manage the application Plan subscriptions that have been created by application developers in the Developer Portal. The Manage permission includes the ability to migrate a subscription to another plan.
		Subscription-Approval	View, Manage
		Consumer-Onboard-Approval	View, Manage
		API-Analytics	View, Manage
		Child	View, Create, Manage
		Audit	View
		Governance-Enforcement-Approval	View, Manage
API Agent User	API Chat Agent User	All menus	View only
Viewer	Views the API provider organization	All menus	View only
Viewer	Views the API provider organization	Governance-Enforcement-Approval	View, Manage
API Administrator	Manages the API product lifecycle	Member	View
		Settings	View
		Topology	View
		Org	View
		Engagement	View, Manage
		Product	View, Stage, Manage
		Product-Approval	View, Stage, Publish, Supersede, Replace, Deprecate, Retire, Archive
		Consumer-Org	View, Manage
		App	View, Manage
		App-Dev	Manage
		App-Approval	View, Manage
		Subscription	View, Manage
		Subscription-Approval	View, Manage
		Consumer-Onboard-Approval	View, Manage
		API-Analytics	View, Manage
		Child	View, Create
		Governance-Enforcement-Approval	View, Manage
Developer	Authors API and product definitions	Member	View
		Settings	View
		Topology	View
		Org	View
		Product	View, Stage, Manage
		Product-Approval	View, Stage, Publish, Supersede, Replace, Deprecate, Retire, Archive
		Consumer-Org	View
		App	View, Manage
		App-Dev	Manage
		App-Approval	View, Manage
		Subscription	View, Manage
		Subscription-Approval	View, Manage
		API-Analytics	View, Manage
		Child	View, Create
		Governance-Enforcement-Approval	View, Manage
Member	Member of the app developer organization	Org	View, minimum role
Community Manager	Manages application developer communities	Member	View
		Settings	View
		Topology	View
		Org	View
		Engagement	View, Manage
		Product	View applications
		Product-Approval	View production applications
		Consumer-Org	View application analytics
		App	View, Manage
		App-Dev	Manage
		App-Approval	View, Manage
		Subscription	View, Manage
		Subscription-Approval	View, Manage
		Consumer-Onboard-Approval	View, Manage
		API-Analytics	View, Manage
		Child	View

Note: A user who is called admin is created automatically, with full administrator access to the Developer Portal site. The admin user can view Products and APIs but has no access to use APIs. The admin user assumes the email address of the owner of the provider organization that is associated with the Developer Portal.