Apigee roles

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

This section describes the Apigee-specific roles that you commonly assign to your users. These are not the same roles that you assign to service accounts.

Apigee-specific roles

Apigee provides a set of pre-defined (or curated) roles called Apigee roles. In general, all pre-defined Apigee roles can:

  • Get and list organizations
  • Get and list environments (most but not all roles)
  • Get and list projects

The following table summarizes a few of the main Apigee roles.

Curated Role Name Description
Analytics Editor Creates and analyzes reports on API proxy traffic for an Apigee organization. Can edit queries and reports.
API Admin (V2) A developer that creates and tests API proxies. This role can read API products and apps, as well as edit API proxies, shared flows, and KVMs.

This role replaces the deprecated API Creator role.

API Reader (V2) Provides read-only access to most Apigee features, including API products, environment groups, environments, KVMs, proxies, shared flows, and more.
Analytics Viewer Views analytics data for an organization. This role can get environment stats.
Environment Admin

This role gives full read/write access to Apigee environment resources, including flow hooks, keystores, KVMs, shared flows, and target servers. For a full listing of permissions for this role, see Apigee roles in the Cloud IAM documentation.

Developer Admin Manages developer access to apps. This role can read API products and can edit app keys, developer apps, and developers.
Org Admin A super user that has full access to all Apigee resources in the Apigee organization. This role can access all available actions for all APIs. This is the only role that can create, delete, or update organizations.
Read Only Admin An administrator who can run reports and view everything in the Apigee organization without the ability to create or change anything. This role has read access to all Apigee resources within the Apigee organization. Your Google Cloud project's service account is assigned this role during setup and installation.

You can view these roles and the service account roles in the IAM Permissions view within Google Cloud console:

IAM Permissions view in Cloud Console

To access the IAM Permissions view:

  1. Open the Apigee UI.
  2. Select Admin > Roles.

For a complete list of API permissions for each role, see Apigee roles.

In addition to the Apigee roles, you also apply Google Cloud roles such as Logs Writer and Storage Object Admin to your users.