Creating custom roles and permission for Apigee Edge

As an Apigee administrator, there will be a point that you will need to manage the user’s permission beyond the functionality the the built-in roles that Apigee is providing. To create a custom role and permission, you need to identify the following first:

  • What are the functionality that your user need to access
  • What are the permission, or capability they require

Once you identify those, take a look at the permission reference in this document as you will need it to build your json request. To summarize, here are the list

Standards

  • Analytics
  • Analytics data export
  • API models
  • API Monitoring
  • API Packages
  • API products
  • API proxies
  • Apps
  • Asynch query
  • Audits
  • Caches
  • Custom reports
  • Data mask
  • Debug
  • Deployments
  • Developers
  • Keystores
  • Key Value Maps
  • OAuth
  • Organizations
  • References
  • Resource files
  • Roles
  • Shared Flows
  • Stats
  • Target Servers
  • Users
  • Virtual Hose

Requires Apigee Sense (Monetization)

  • Companies
  • Credits
  • Rate Plans
  • Refund
  • Reports
  • Transactions

To being creating the custom roles and permission, you need to use the Apigee Management API. The two endpoints you want to use are:

  • POST userroles
  • POST userroles/{rolename}/resourcepermission

POST userroles

This is the endpoint you need to create the custom roles you need. As for best practice, I recommend to be it at all small caps (e.g proxydeveloper).

POST userroles/{rolename}/resourcepermission

This the endpoint you need for setting up multiple permission. To do this a bit more faster, you may want to review the existing roles through the GET {rolename}, and derive those permission to your new role. As an example, below is the sample request body i have created for the resourcepermission request.

{
  "resourcePermission": [
      {
          "path": "/",
          "permissions": ["get"]          
      },
      {
          "path": "/applications",
          "permissions": ["get","put"]
      },
      {
          "path": "/applications/*",
          "permissions": ["get","put"]
      },
      {
          "path": "/applications/*/revisions",
          "permissions": ["get","put"]
      },
      {
          "path": "/applications/*/revisions/*",
          "permissions": ["get","put"]
      },
      {
          "path": "/applications/*/deployments",
          "permissions": [ "get"]
      },
      {
          "path": "/applications/*/revisions/*/deployments",
          "permissions": ["get","put"]
      },
      {
          "path": "/environments",
          "permissions": [ "get"]
      },
      {
          "path": "/environments/*/deployments",
          "permissions": ["get"]
      },
      {
          "path": "/environments/*/applications/*/deployments",
          "permissions": [ "get" ]
      },
      {
          "path": "/environments/*/applications/*/revisions/*/deployments",
          "permissions": [ "put", "get", "delete"]
      },
      {
          "path": "/applications/*/revisions/*/npm",
          "permissions": ["get","put"]
      },
      {
          "path": "/applications/*/revisions/*/policies",
          "permissions": ["get","put"]
      },
      {
          "path": "/applications/*/revisions/*/policies/*",
          "permissions": ["get","put"]
      },
      {
           "path": "/environments/*/applications/*/revisions/*/debugsessions",
          "permissions": ["get","put"]
      },
      {
          "path": "/environments/*/applications/*/revisions/*/debugsessions/*",
          "permissions": ["get","put"]
      },
      {
          "path": "/keyvaluemaps",
          "permissions": []
      },
      {
          "path": "/keyvaluemaps/*",
          "permissions": []
      },
      {
          "path": "/keyvaluemaps/*/entries",
          "permissions": []
      },
      {
          "path": "/keyvaluemaps/*/entries/*",
          "permissions": []
      },
      {
          "path": "/keyvaluemaps/*/keys",
          "permissions": []
      },
      {
          "path": "/environments/*/keyvaluemaps",
          "permissions": ["get","put"]
      },
      {
          "path": "/environments/*/keyvaluemaps/*",
          "permissions": ["get","put"]
      },
      {
          "path": "/environments/*/keyvaluemaps/*/entries",
          "permissions": ["put"]
      },
      {
          "path": "/environments/*/keyvaluemaps/*/entries/*",
          "permissions": ["get","put","delete"]
      },
      {
          "path": "/environments/*/keyvaluemaps/*/keys",
          "permissions": ["get"]
      }
  ]
}

Some highlghts of the json request where

The line below specify that you user will need to access resource from the default path, it is mandatory to add this, else, most the permission you will set will not work.

      {
          "path": "/",
          "permissions": ["get"]          
      },

The line below specify that the user will need to use the debug mode (AKA trace tool).

      {
           "path": "/environments/*/applications/*/revisions/*/debugsessions",
          "permissions": ["get","put"]
      },
      {
          "path": "/environments/*/applications/*/revisions/*/debugsessions/*",
          "permissions": ["get","put"]
      },

These are the permission related to API proxy deployment (note that “applications” = proxy)

      {
          "path": "/applications/*/deployments",
          "permissions": [ "get"]
      },
      {
          "path": "/applications/*/revisions/*/deployments",
          "permissions": ["get","put"]
      },
      {
          "path": "/environments",
          "permissions": [ "get"]
      },
      {
          "path": "/environments/*/deployments",
          "permissions": ["get"]
      },
      {
          "path": "/environments/*/applications/*/deployments",
          "permissions": [ "get" ]
      },
      {
          "path": "/environments/*/applications/*/revisions/*/deployments",
          "permissions": [ "put", "get", "delete"]
      },

To recap, the example below is the permission i derived from the built-in role “user”, while adding a deployment, debug and kvm access to it.

Note: I will update this entry as i progress towards this topic.