This page applies to Apigee and Apigee hybrid.
View Apigee Edge documentation.
This topic describes how to add users to an environment, remove users from an environment, and update user roles in an environment, using the UI.
About role scope
You can add users to Apigee organizations using the Google Cloud console. When you do this, the user is granted the same access to all environments in the organization. However, you can refine each user's access by using the Apigee UI.
The Apigee UI lets you assign roles to users that are specific to a given environment. Instead of each user having the same role in all environments of an organization, you can assign a specific role or roles for that user for each environment.
When you first configure Apigee and create the Google Cloud project to which the Apigee organization is
bound, you typically add a few users with different roles like API Admin
and
Environment Admin
. Because these users are defined at the Cloud Project project level, they can
access all environments with the roles granted.
If you grant access using the Apigee UI, you can set roles of existing users at the environment level.
Add user accounts in the UI
Apigee in Cloud console
To specify user permissions for an environment:
- Ensure that you have already added the user to your Google Cloud project. For information on adding users to a Google Cloud project, see Granting, changing, and revoking access to resources.
- Open the Apigee UI in Cloud console in a browser.
- In the left navigation pane, click Management > Environments.
- Select the environment you wish to edit from the list of available environments.
- Click the Access tab on the Environment details page.
The UI displays a list of current user accounts and roles for the selected environment.
- Click +Grant Access.
The Grant Access pane displays.
- Enter the user's email account in the first field. This email address is typically one
of the following:
- An individual Google account (for example,
fred@gmail.com
). All Gmail accounts are Google accounts, but you can also register email addresses with different domains as Google accounts. - A Google Group alias. For example,
address@googlegroups.com
. - A service account. For example,
address@example.gserviceaccount.com
. - A Google Workspace domain. For example,
address@example.com
, whereexample.com
is a domain that you used when you signed up for Google Cloud services.
- An individual Google account (for example,
- Select a role from the Role(s) drop-down list and click OK. You can add more than one role for each user. For details on available roles, see Apigee roles and IAM permissions reference.
- Click Grant.
- Repeat this process for each environment for which you want to specify the user's role.
You can remove a user account from an environment using the UI, but that user account will still have the access that it was granted in the Google Cloud console unless you also remove the user from the Console by default.
Classic Apigee
To specify user permissions for an environment:
- Ensure that you have already added the user to your Google Cloud project. For information on adding users to a Google Cloud project, see Granting, changing, and revoking access to resources.
- Open the Apigee UI in a browser.
- Select Admin > Environments > Access in the left navigation menu.
- Select the environment name from the drop-down list.
The UI displays a list of current user accounts and roles for the selected environment:
- Click +Grant Access.
The Grant Access to Environment pane displays:
- Enter the user account's email address in the first field. This email address is typically one
of the following:
- A Google account (for example,
fred@gmail.com
). All Gmail accounts are Google accounts, but you can also register email addresses with different domains as Google accounts. - A Google Group alias. For example,
address@googlegroups.com
. - A service account. For example,
address@example.gserviceaccount.com
. - A Google Workspace domain. For example,
address@example.com
, whereexample.com
is a domain that you used when you signed up for Google Cloud services.
- A Google account (for example,
- Select a role from the Role drop-down list and click Add. You can add more than one role for each user. For details on available roles, see Apigee roles and IAM permissions reference.
- Repeat this process for each environment for which you want to specify the user's role.
You can remove a user account from an environment using the UI, but that user account will still have the access that it was granted in the Google Cloud console unless you also remove the user from the Console by default.
Remove user accounts
Removing a user at the environment level does not remove the user at the Google Cloud project level. As a result, the user can still access all environments with their Google Cloud project level permissions.
To revoke the user's access entirely, you must remove them from the Google Cloud project as described in Revoking Access to Google Cloud Platform.
Apigee in Cloud console
To remove a user from an environment:
- Open the Apigee UI in Cloud console in a browser.
- In the left navigation pane, click Management > Environments.
- Select the environment name you wish to edit from the list of available environments.
- Click the Access tab on the Environment details page.
The UI displays a list of current user accounts and roles for the selected environment.
- In the user's row, click the three-dot menu under Actions and select Remove.
The UI displays a confirmation dialog box.
- Click Remove Access.
The UI removes that user from the environment.
Classic Apigee
To remove a user from an environment:
- Open the Apigee UI in a browser.
- Select Admin > Environments > Access in the left navigation menu.
- Select the environment name from the drop-down list.
The UI displays a list of current users for the selected environment.
- In the user's row, click
The UI displays a confirmation dialog box:
Delete.
- Click Revoke.
The UI removes that user from the environment.
Change user roles in the UI
You can change a user's role on a per-environment basis by using the UI. This includes adding additional roles to a user account or removing one or more roles from the user account.
Apigee in Cloud console
To change a user's roles for an environment:
- Open the Apigee UI in Cloud console in a browser.
- In the left navigation pane, click Management > Environments.
- Select the environment name you wish to edit from the list of available environments.
- Click the Access tab on the Environment details page.
The UI displays a list of current user accounts and roles for the selected environment.
- In the user's row, click the three-dot menu under Actions and select Edit.
The UI displays the Manage Roles pane.
- Do one of the following:
- To remove a role: Clear the checkbox next to that role.
- To add another role: Select the checkbox next to the role you wish to add.
- Click OK.
- Click Update.
The UI applies your changes to the user in that environment.
Classic Apigee
To change a user's roles for an environment:
- Open the Apigee UI in a browser.
- Select Admin > Environments > Access in the left navigation menu.
- Select the environment name from the drop-down list.
The UI displays a list of current users for the selected environment.
- In the user's row, click
The UI displays the Manage Roles dialog box:
Edit.
- Do one of the following:
- To remove a role: Click Cancel next to that role.
- To change a role: Select a new role from the drop-down list of roles.
- To add another role: Click Add another role.
- Click Apply.
The UI applies your changes to the user in that environment.