API Connect user roles

The IBM® API Connect solution provides an infrastructure, tools, and facilities that allow users to create, manage, and stage APIs. The ability to perform tasks in the API Connect user interfaces is controlled through user roles, and the permissions that are assigned to those roles.

The roles described here are the default API Connect roles. In the API Manager user interface, you can create custom roles; for more information, see: Creating custom roles.

The following sections describe the roles and permissions for each of the API Connect user interfaces:

User roles in the API Manager UI.
User roles in the Developer Portal UI.

The roles are as follows:

Member role given to any user that is on boarded without another role and is the minimum role that allows user to login only.
Owner and Admin roles have all permissions and their cannot be modified.
Custom roles can be created in the Admin organization and in Provider organizations, but not in Consumer organizations.

Note: In Cloud Manager and API Manager, the Owner role has full access and Member role has read only access. Both Owner and Member roles cannot be edited or deleted. All other roles, including custom roles, can be deleted. If a role was removed from the member, the membership for the user still remains in API Connect, enabling you to add a role to the member at a future date.

User roles and permissions in the API Manager UI

The following tables describe the API Manager UI user permissions.

A user with Roles permission can change the permission assignments, and can create custom roles; for more information, see Creating custom roles in the section, Managing your APIs.

Table 1. Organization permissions
Permissions	Action	Description
App-Approval	View	View application approvals, for requests to promote a development application to a production application
App-Approval	Manage	Manage (approve or decline) requests for approval to promote a development application to a production application
Subscription	View	View application plan subscriptions that have been created by consumer organizations in the Developer Portal
Subscription	Manage	Manage the application plan subscriptions that have been created by consumer organizations in the Developer Portal Note: The Manage permission includes ability to migrate a subscription to another plan.
Subscription-Approval	View	View application plan subscription approvals
Subscription-Approval	Manage	Manage (approve or decline) application plan subscriptions
Consumer-Onboard-Approval	View	View consumer onboard approvals
Consumer-Onboard-Approval	Manage	Manage (approve or decline) consumer onboard approvals
API-Analytics	View	View analytics data, as well as access and apply saved analytics queries
API-Analytics	Manage	Create, update, duplicate, delete, and share saved analytics queries including view permission
Child	View	View catalogs in the provider organization level and spaces in the catalog level
	Create	Create catalogs in the provider organization level and spaces in the catalog level
	Manage	Manage catalogs in the provider organization level and spaces in the catalog level Note: Management tasks include deleting a catalog or space, or transferring ownership of a catalog or space.
API-Drafts	View	View draft APIs
API-Drafts	Edit	Edit draft APIs and API tests, view draft products, and API testing
API-Agent	All	Use conversational API Agent
Governance-Enforcement-Approval	View	View all items in the Governance enforcement approval tasks section. With this permission, you can view all tasks created as part of governance enforcement flow, that require approval by catalog administrator
Governance-Enforcement-Approval	Manage	View and modify all items in the Governance enforcement approval tasks section. With this permission, you can view and update all tasks (approve or reject) created as part of governance enforcement flow, that require approval by catalog administrator
Product	View	View product
	Stage	Stage product
	Manage	Manage product
Product-Approval	View, Manage	View and manage products, which includes viewing product lifecycle changes, and performing actions such as: stage manage publish supersede replace deprecate retire
Consumer organization	View	View consumer organization and developers
Consumer organization	Manage	Manage consumer organization and developers
App	View	View both production and development applications
App	Manage	Manage both production and development applications Note: A member with this permission can also request the promotion of a development app to a production app. This request triggers a task that needs approval by a member with the App-approval Manage permission.
App-Dev	Manage	View and manage the development applications
Audit	View	View audit events
Settings	View	View an organization's configuration settings, including roles, TLS profiles, and user registries. View configuration settings for a catalog or space, including policies and OpenAPI extensions.
Settings	Manage	Manage an organization's configuration settings, including roles, TLS profiles, user registries, Governance, API tests, and Discovery. Manage configuration settings for a catalog or space, including policies and OpenAPI extensions.
Member	View	View the members of an organization
Member	Manage	Manage the members of an organization
Topology	View	View or manage services associated with the organization, including Gateways, Developer Portal, and Analytics.
Topology	Manage	Manage services associated with the organization, including Gateways, Developer Portal, and Analytics.
Engagement	View	View all items in the Engagement section including rules, tasks, destinations, and engagement configurations. With this permission, you can monitor alert conditions, view notification settings, and track engagement activities across the system.
Engagement	Manage	View and modify all items in the Engagement section including creating, updating, and deleting rules, tasks, destinations, and engagement configurations. With this permission, you can configure alert conditions, set up notification channels, and manage the complete engagement workflow.
Product-Drafts	View	View draft APIs and products
Product-Drafts	Edit	View draft APIs and edit draft products

A user with Settings > Manage permission can change the permission assignments, and can create custom roles; for more information, see Creating custom roles in the section, Managing your APIs.

Table 2. Default API Manager UI roles and the default permissions assigned to those roles.
Role	Action	Provides access to	Description
Administrator	View, Manage	All menus	Administers the API provider organization
API Agent User	View	All menus	By default, an API Agent chat user has only view permission. To perform all actions for the API Agent, you need to have the API-Agent permission
Owner	View, Manage	All menus	Owns and administers the API provider organization
Viewer	View	All menus	Views the API provider organization
API Administrator	View, Manage	All menus, but cannot manage the following: Member, Settings, Topology, Organization, and Child	Manages the lifecycle of APIs and publish APIs for discovery and use
Community Manager	View, Manage	All menus, but cannot manage the following: Member, Settings, Topology, Organization, Product, Product-Approval, and Child	Manages the relationship between the provider organization and consumer organizations, provides information about API usage, and provides support to consumer organizations
Member	View	Organization	Minimum role. Member role is automatically assigned to any user on boarded without a role. It allows them to login but does not provide access to any menus
Developer	View, Manage	All menus, but cannot manage the following: Menu, Settings, Topology, and Org. For product and Product-Approval the developer role can do the following actions: view, stage, publish, supersede, replace, deprecate, retire, and archive	API developers design and develop APIs and applications for the provider organizations to which they belong. Note: The developer role allows the creation of products and APIs, and the staging and publishing of products to a catalog or space, when assigned to a user at the provider organization level but not when assigned to a user who is a member only of a catalog or space within a provider organization. A developer in a catalog or space can manage products that are staged or published to the catalog or space.

Note: Owners and administrators have the full permission to use API Agent. See API Agent user roles for more information.

User roles in the Developer Portal UI

The following table describes the various Developer Portal UI roles that relate to working with APIs and applications.

Table 3. Developer Portal UI roles
Role	Action	Provides access to	Description
Owner	View, Manage	Organization member	Owns and administers the consumer organizations and view or manage the application plan subscriptions that have been created by consumer organizations in the Developer Portal. The manage permission includes ability to migrate a subscription to another plan.
	View, Manage	Organization settings
	View	Organization view
	View	Consumer product
	View, Manage production or development applications	Consumer application
	Manage development application	Consumer organizations
	View, Manage production or development applications	Consumer subscription
	View	Consumer application analytics
Administrator	View, Manage	Organization member	Administers the consumer organizations and view or manage the application plan subscriptions that have been created by consumer organizations in the Developer Portal. The manage permission includes the ability to migrate a subscription to another plan.
	View, Manage	Organization settings
	View	Organization
	View	Consumer product
	View, Manage production or development applications	Consumer application
	Manage development applications	Consumer organizations
	View, Manage	Consumer subscription
	View application analytics	Consumer application analytics
Viewer	View	Organization member	Viewer of the consumer organizations
	View	Organization settings
	View	Organization
	View	Consumer product
	View applications	Consumer application
	View production applications	Consumer production application
	View application analytics	Consumer application analytics
Developer	View	Organization member	API developers are responsible for building and managing applications within their respective developer organizations. View or manage the application plan subscriptions that have been created by consumer organizations in the Developer Portal. The manage permission includes ability to migrate a subscription to another plan.
	View	Organization settings
	View	Organization
	View	Consumer product
	View, Manage production or development applications	Consumer application
	Manage development applications	Consumer organizations
	View, Manage	Consumer subscription
	View application analytics	Consumer application analytics
Member	View	Organization	Member of the consumer organizations

Note: A user who is called admin is created automatically, with full administrator access to the Developer Portal site. The admin user can view products and APIs but has no access to use APIs. The admin user assumes the email address of the owner of the provider organization that is associated with the Developer Portal.