Apigee roles

You're viewing Apigee X documentation.
View Apigee Edge documentation.

This section describes the Apigee-specific roles that you commonly assign to your users. These are not the same roles that you assign to service accounts.

Apigee-specific roles

Apigee provides a set of pre-defined (or curated) roles called Apigee roles. In general, all pre-defined Apigee roles can:

  • Get and list organizations
  • Get and list environments (most but not all roles)
  • Get and list projects

The following table summarizes the Apigee roles. (It does not include the service agent roles.) For each role's specific API permissions, see Apigee roles.

Curated Role Name Description
Analytics Editor Creates and analyzes reports on API proxy traffic for an Apigee organization. Can edit queries and reports.
API Admin A developer that creates and tests API proxies. This role can read API products and apps, as well as edit API proxies, shared flows, and KVMs.

This role replaces the deprecated API Creator role.

Analytics Viewer Views analytics data for an organization. This role can get environment stats.
API Creator (Deprecated) This role is deprecated and has been replaced with the API Admin role.
Environment Admin Deploys and undeploys API proxies to the runtime. This role can get API products, apps, and API proxies. It can edit flow hooks, keystores, KVMs, shared flows, and target servers. In addition, this role can deploy and undeploy API proxy revisions.

This role replaces the deprecated Deployer role.

Deployer (Deprecated) This role is deprecated. Please use the Apigee Environment Admin role instead.
Developer Admin Manages developer access to apps. This role can read API products and can edit app keys, developer apps, and developers.
Org Admin A super user that has full access to all Apigee resources in the Apigee organization. This role can access all available actions for all APIs. This is the only role that can create, delete, or update organizations.
Read Only Admin An administrator who can run reports and view everything in the Apigee organization without the ability to create or change anything. This role has read access to all Apigee resources within the Apigee organization. Your Google Cloud project's service account is assigned this role during setup and installation.

You can view these roles and the service account roles in the IAM Permissions view within Google Cloud console:

To access the Permissions view:

  1. Open the Apigee UI.
  2. Select Admin > Roles.

For a complete list of API permissions for each role, see Apigee roles.

Deprecated roles

The following roles have been deprecated and replaced with the roles specified:

  • API Creator (replaced with Apigee API Admin (roles/apigee.apiAdminV2)).
  • API Reader (replaced with a new V2 version (roles/apigee.apiReaderV2)).
  • Deployer (replaced with Apigee Environment Admin (roles/apigee.environmentAdmin)).

In addition to the Apigee roles and service account roles, you also apply Google Cloud roles such as Logs Writer and Storage Object Admin to your users.