API Connect user roles

The IBM® API Connect solution provides an infrastructure, tools, and facilities that allows users to create, manage, and stage APIs. The ability to perform tasks in the API Connect user interfaces is controlled through user roles, and the permissions that are assigned to those roles.

The roles described here are the default API Connect roles. In the API Manager user interface, you can create custom roles; for more information, see: Creating custom roles. You can also create custom roles in the Developer Portal user interface.

The following sections describe the roles and permissions for each of the API Connect user interfaces:

User roles and permissions in the API Manager UI

The following tables describe the API Manager UI user permissions.

Note: In API Manager, the Owner role has full access and cannot be edited or deleted. All other roles can be deleted. If you delete a role, users lose that role. If a user loses that role, their account remains in API Manager, enabling you to add a role to the user at a future date.
Table 1. Organization permissions
Permissions Action Permits the member to
Member View View organization's members
  Manage Manage organization's members
Settings View View an organization's configuration settings, including roles, TLS profiles, and user registries.

View configuration settings for a Catalog or Space, including policies and OpenAPI extensions.

  Manage Manage an organization's configuration settings, including roles, TLS profiles, and user registries.

Manage configuration settings for a Catalog or Space, including policies and OpenAPI extensions.

Topology View Same permissions as Settings: View.
  Manage Same permissions as Settings: Manage.
Org View View an organization
Product-Drafts View View draft APIs and Products
  Edit View draft APIs and edit draft Products
Api-Drafts View View draft APIs
  Edit Edit draft APIs and view draft Products
Product View View Products
  Stage Stage Product
  Manage Manage Product
Product-Approval View View Product lifecycle changes
  Stage Approve the staging of a Product
  Publish Approve the publishing of a Product
  Supersede Approve the superseding of a Product
  Replace Approve the replacement a Product
  Deprecate Approve the deprecation of a Product
  Retire Approve the retiring of a Product
Consumer-Org View View consumer organization and developers
  Manage Manage consumer organization and developers
App View View both production and development applications.
  Manage Manage both production and development applications. A member with this permission can also request the promotion of a development app to a production app. This request triggers a task that needs approval by a member with the App-approval Manage permission.
App-Dev Manage Same permissions as Settings: Manage.
App-Approval View View application approvals, for requests to promote a development app to a production app.
  Manage Manage (Approve or Decline) requests for approval to promote a development app to a production app.
Subscription View View application Plan subscriptions that have been created by application developers in the Developer Portal.
  Manage Manage the application Plan subscriptions that have been created by application developers in the Developer Portal. The Manage permission includes ability to migrate a subscription to another plan.
Subscription-Approval View View application Plan subscription approvals.
  Manage Manage (approve or decline) application Plan subscriptions.
Consumer-Onboard-Approval View View consumer onboard approvals.
  Manage Manage (approve or decline) consumer onboard approvals.
Api-Analytics View View analytics data, as well as access and apply saved analytics queries.
  Manage In addition to the view permissions, the user can create, update, duplicate, delete, share, and unshare saved analytics queries.
Child View At the provider organization level, view Catalogs in the provider organization. At the Catalog level, view Spaces in the Catalog.
  Create At the provider organization level, create Catalogs in the provider organization. At the Catalog level, create Spaces in the Catalog.
  Manage At the provider organization level, manage Catalogs in the provider organization. At the catalog level, manage Spaces in the Catalog. Management tasks including deleting a Catalog or Space, or transferring ownership of a Catalog or Space.
Table 2. Default API Manager UI roles and the default permissions assigned to those roles.
Role Role description Permissions Actions
Organization Owner A provider organization owner has the full set of access permissions to API Connect functions, and also commission APIs and tracks their business adoption. All permissions All actions.
Administrator A provider organization administrator has, by default, the full set of access permissions to API Connect functions, and also commission APIs and tracks their business adoption. All permissions All actions.
API Administrator API administrators manage the lifecycle of APIs and publish APIs for discovery and use. All permissions All actions except cannot manage the following permissions: Member, Settings, Topology, and Child.
Community Manager A community manager manages the relationship between the provider organization and application developers, provides information about API usage, and provides support to application developers. Member View
    Settings View
    Topology View gateway services or portal services at the provider organization.
    Org View
    Drafts View, Edit
    Product View
    Product-approval View
    Consumer-org View, Manage
    App View, Manage
    App-dev Manage
    App-approval View, Manage
    Subscription View, Manage
    Subscription-approval View, Manage
    Consumer-onboard-approval View, Manage
    Api-analytics View, Manage
    Child View
Developer API developers design and develop APIs and applications for the provider organizations to which they belong.
Note: The Developer role allows the creation of Products and APIs, and the staging and publishing of Products to a Catalog or Space, when assigned to a user at the provider organization level--but not when assigned to a user who is a member only of a Catalog or Space within a provider organization. A Developer in a Catalog or Space can manage Products that are staged or published to the Catalog or Space.
Member View
    Settings View
    Topology View gateway services or portal services at the provider organization.
    Org View
    Drafts View, Edit
    Product View, Stage, Manage
    Product-approval View, Stage, Publish, Supersede, Replace, Deprecate, Retire
    Consumer-org View
    App View, Manage
    App-dev Manage
    App-approval View, Manage
    Subscription View, Manage
    Subscription-approval View, Manage
    Api-analytics View, Manage
    Child View, Create
Member Member of a provider organization Org View
Viewer Viewer of a provider organization Member View
    Topology View gateway services or portal services at the provider organization.
    Org View
    Drafts View
    Product-approval View
    Consumer-org View
    App View
    App-approval View
    Subscription View
    Subscription-approval View
    Api-analytics View
    Child View
Note: In API Manager, the Organization Owner role has full access and cannot be edited or deleted. All other roles can be deleted. If you delete a role, users lose that role. If a user loses that role, their account remains in API Manager, enabling you to add a role to the user at a future date.

User roles in the Developer Portal UI

The following table describes the various Developer Portal UI roles that relate to working with APIs and applications. In addition, you can create custom roles for the Developer Portal site itself.
Table 3. Developer Portal UI roles
Role Role Description Permission Actions
Owner Owns and administers the app developer organization Organization member View, Manage
    Organization settings View, Manage
    Organization view View
    Consumer product View
    Consumer app View or Manage production or development applications
    Consumer app-dev Manage development applications
    Consumer subscription View or Manage the application Plan subscriptions that have been created by application developers in the Developer Portal. The Manage permission includes ability to migrate a subscription to another plan.
    Consumer app-analytics View application analytics
Administrator Administers the app developer organization Organization member View, Manage
    Organization settings View, Manage
    Organization View
    Consumer product View
    Consumer app View, Manage production or development applications
    Consumer app-dev Manage development applications
    Consumer subscription View or Manage the application Plan subscriptions that have been created by application developers in the Developer Portal. The Manage permission includes ability to migrate a subscription to another plan.
    Consumer app-analytics View application analytics
Developer Builds and manages apps in the developer organization Organization member View
    Organization settings View
    Organization View
    Consumer product View
    Consumer app View, Manage production or development applications
    Consumer app-dev Manage development applications
    Consumer subscription View or Manage the application Plan subscriptions that have been created by application developers in the Developer Portal. The Manage permission includes ability to migrate a subscription to another plan.
    Consumer app-analytics View
Member Member of the app developer organization Organization View
Viewer Viewer of the app developer organization Organization member View
    Organization settings View
    Organization View
    Consumer product View
    Consumer app View applications
    Consumer production-app View production applications
    Consumer app-analytics View application analytics
Note: A user called admin is created automatically, with full administrator access to the Developer Portal site. The admin user can view Products and APIs but has no access to use APIs. The admin user assumes the email address of the owner of the provider organization associated with the Developer Portal.