This page applies to Apigee and Apigee hybrid.
View Apigee Edge documentation.
All Apigee users are called global users because they are created outside of any Apigee organization. Once created, a global user can then be assigned to one or more organizations:
When you assign a user to an organization, you must specify the user's role in that organization. The user's role determines the actions that the user is allowed to perform in that organization. For example, some users are allowed to create APIs, while others can view APIs but cannot modify them.
A global user can also be assigned to the role of Apigee organization administrator or Apigee read-only administrator. An organization administrator performs all administrative tasks required to maintain Apigee, including creating new global users.
What information defines a user?
An Apigee user is defined by the following:
- First name
- Last name
- Email address
- Password
The email address and password function as the user's credentials when logging in to the Apigee UI and when making requests through the Apigee API.
What are roles?
On its own, a global user cannot do anything in Apigee. For a global user to be able to function, the user must be assigned to an organization role.
Roles are essentially CRUD-based permission sets. CRUD means "create, read, update, delete". For example, a user may be given a role in an organization that permits read, or "get", access to details about a protected entity, but not write permission to update or delete it. The organization administrator is the highest-level role in the organization, and can perform any CRUD operation on any entity in the organization.
About predefined organization roles
All Apigee organizations are created with the following roles with a predefined set of permissions:
- Organization Administrator
- Read-only Organization Administrator
- Operations Administrator
- Business User
- User
You can also create custom roles, with custom permissions, in your organization.
About the administrator roles
Apigee supports the following administrator roles:
- Read-only administrator role
- Organization administrator role
Apigee organization administrators can:
- Create organizations and environments
- Add additional components to an Apigee installation
- Configure TLS/SSL
- Create additional administrators
- Perform all other Apigee administrative tasks
For details about administrator permissions, see Apigee roles.
Assigning global users to an organization
The following image shows the structure of an Apigee organization:
An organization contains two distinct types of users:
- Organization users: Create, modify, and deploy APIs, create and manage entities such as API products, developers, and developer apps, generate analytics reports, and perform other administrative tasks. Organization users are Apigee global users assigned to an organization with a specific role.
- Developers: Build the apps that make requests to your APIs. A developer is not an Apigee global user. Think of developers as your API customers. To access the APIs in your organization, a developer must register with the organization and then request an API key. A developer can be registered with multiple organizations to consume APIs from different organizations.
The big difference between users and developers in an organization is that users are Apigee global users that build and maintain APIs, while developers are customers that build apps that consume those APIs. Developers typically do not have global user accounts on Apigee, and cannot log in to the Apigee UI. The exception to this is an organization user who creates their own developer and developer apps for testing purposes.
For more on developers, see Publishing overview.