Send Docs Feedback

Managing Users, Roles, and Permissions

Edge for Private Cloud v. 4.16.09

The Apigee documentation site has extensive information on managing user roles and permissions. Users can be managed using both the Edge UI and the Management API; roles and permissions can be managed only with the Management API. 

For information on users and creating users, see:

Many of the operations that you perform to manage users requires system administrator privileges. In a Cloud based installation of Edge, Apigee functions in the role of system administrator. In an Edge for the Private Cloud installation, your system administrator must perform these tasks as described below. 

Adding a user

You can create a user either by using the Edge API, the Edge UI, or Edge commands. This section describes how to use Edge API and Edge commands. For information on creating users in the Edge UI, see Creating global users.

After you create the user in an organization, you must assign a role to the user. Roles determine the access rights of the user on Edge. 

The user cannot log in to the Edge UI, and does not appear in the list of users in the Edge UI, until you assign it to a role in an organization. 

Use the following command to create a user with the Edge API:

curl -H "Content-Type:application/xml" -u <sysAdminEmail>:<passwd> \
-X POST http://<ms_IP>:8080/v1/users \
-d '<User> \
   <FirstName>New</FirstName> \
   <LastName>User</LastName> \
   <Password>newUserPWord</Password> \
   <EmailId>foo@bar.com</EmailId> \
</User>'

Or use the following Edge command to create a user:

> /<inst_root>/apigee/apigee-service/bin/apigee-service apigee-provision create-user -f configFile

Where the configFile contain the information necessary to create the user:

APIGEE_ADMINPW=sysAdminPW    # If omitted, you will be prompted.
USER_NAME=foo@bar.com
FIRST_NAME=New
LAST_NAME=User
USER_PWD="newUserPWord"
ORG_NAME=myorg  

You can then use this call to view information about the user:

curl -u <sysAdminEmail>:<passwd> http://<ms_IP>:8080/v1/users/foo@bar.com

Assigning the user to a role in an organization

Before a new user can do anything, they have to be assigned to a role in an organization. You can assign the user to different roles, including: orgadmin, businessuser, opsadmin, user, or to a custom role defined in the organization. 

Assigning a user to a role in an organization automatically adds that user to the organization. Assign a user to multiple organizations by assigning them to a role in each organization.

Use the following command to assign the user to a role in an organization:

curl -X POST -H "Content-Type:application/x-www-form-urlencoded" /
http://<ms_IP>:8080/v1/o/<org_name>/userroles/<role>/users?id=foo@bar.com /
-u <sysAdminEmail>:<passwd> 

You can view the user's roles by using the following command:

curl -u <sysAdminEmail>:<passwd> /
http://<ms_IP>:8080/v1/users/foo@bar.com/userroles

To remove a user from an organization, remove all roles in that organization from the user. Use the following command to remove a role from a user:

curl -X DELETE -u <sysAdminEmail>:<passwd> http://<ms_IP>:8080/v1/o/<org_name>/userroles/<role>/users/foo@bar.com

Adding a system administrator

A system administrator can:

  • Create orgs
  • Add Routers, Message Processors, and other components to an Edge installation
  • Configure TLS/SSL
  • Create additional system administrators
  • Perform all Edge administrative tasks

While only a single user is the default user for administrative tasks, there can be more than one system administrator. Any user who is a member of the sysadmin role has full permissions to all resources.

The sysadmin role is unique in that a user assigned to that role does not have to be part of an organization.  However, you typically assign it to an organization, otherwise that user cannot log in to the Edge UI.

You can create the user for the system administrator in either the Edge UI or API. However, you must use the Edge API to assign the user to the role of sysadmin. Assigning a user to the sysadmin role cannot be done in the Edge UI.

To add a system administrator:

  1. Create a user in the Edge UI or API.
  2. Add user to sysadmin role:
    curl -u <sysAdminEmail>:<passwd> \
    -X POST http://<ms_IP>:8080/v1/userroles/sysadmin/users \
    -d 'id=foo@bar.com'
  3. Make sure new user is in sysadmin role:
    curl -u <sysAdminEmail>:<passwd> http://<ms_IP>:8080/v1/userroles/sysadmin/users

    Returns the user's email address:
    [ " foo@bar.com " ]
  4. Check permissions of new user:
    curl -u <sysAdminEmail>:<passwd> http://<ms_IP>:8080/v1/users/foo@bar.com/permissions

    Returns:
    {
      "resourcePermission" : [ {
      "path" : "/",
        "permissions" : [ "get", "put", "delete" ]
      } ]
    }
  5. After you add the new system administrator, you can add the user to any orgs. 
    Note: The new system administrator user cannot log in to the Edge UI until you add the user to at least one org.
  6. If you later want to remove the user from the system administrator role, you can use the following API:
    curl -X DELETE -u <sysadminEmail:pword> 
    http://<ms_IP>:8080/v1/userroles/sysadmin/users/foo@bar.com


    Note that this call only removes the user from the role, it does not delete the user.

Specifying the email domain of a system administrator

As an extra level of security, you can specify the required email domain of an Edge system administrator. When adding a system administrator, if the user's email address is not in the specified domain, then adding the user to the sysadmin role fails.

By default, the required domain is empty, meaning you can add any email address to the sysadmin role.

To set the email domain:

  1. Open in an editor management-server.properties:
    vi /<inst_root>/apigee/customer/application/management-server.properties

    If this file does not exist, create it.
  2. Set the conf_security_rbac.global.roles.allowed.domains property to the comma-separated list of allowed domains. For example:
    conf_security_rbac.global.roles.allowed.domains=myCo.com,yourCo.com
  3. 変更を保存します。
  4. Restart the Edge Management Server:
    /<inst_root>/apigee/apigee-service/bin/apigee-service edge-management-server restart

    If you now attempt to add a user to the sysadmin role, and the email address of the user is not in one of the specified domains, the add fails.

Deleting a user

You can create a user either by using the Edge API or the Edge UI. However, you can only delete a user by using the API.

To see the list of current users, including email address, use the following cURL command:

curl -u <sysAdminEmail>:<passwd> http://<ms-IP>:8080/v1/users

Use the following cURL command to delete a user:

curl -u <sysAdminEmail>:<passwd> -X DELETE http://<ms-IP>:8080/v1/users/<userEmail> 

Help or comments?