[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-05 (世界標準時間)。"],[],[],null,["# Apigee Spaces roles and permissions\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\nThis page lists the [Identity and Access Management](/iam/docs) roles and permissions required to use and manage Apigee Spaces and\nSpace resources.\n\nWhen using Spaces, it is important to note that IAM roles and permissions are primarily granted at the Space level\nand enable Apigee users to view and manage only the subset of API resources assigned\nto the Space. This is a change in behavior from Apigee contexts where Spaces are not used, and the\nroles and permissions granted to Apigee users for the management of API resources\ntypically enable access to all resources of that type.\n\nTo learn more about the default roles and permissions required when using Spaces, see the following sections:\n\n- [Roles and permissions to create and manage Apigee Spaces](#create-manage-spaces)\n- [View Space resources in Google Cloud console](#view-space-resources)\n- [View and assign roles using IAM in the Google Cloud console](#view-space-roles)\n\nRoles and permissions to create and manage Apigee Spaces\n--------------------------------------------------------\n\nNew roles and permissions have been added to IAM to make using Apigee Spaces in Apigee organizations\neasier for common use cases, as shown in the following sections.\n\n### Predefined roles for Apigee Spaces\n\nTo allow Space members to manage resources in that Space, use the `setIamPolicy` method\non a Space resource to grant the `apigee.spaceContentEditor` role to the member. For more information,\nsee [Add an organization member to a Space](/apigee/docs/api-platform/system-administration/spaces/create-spaces#members-roles).\n\nTo allow Space members to use the Apigee UI to manage Space resources,\ngrant the members the `apigee.spaceConsoleUser` role on the Google Cloud project. For more information, see [View\nSpace resources in Google Cloud console](#view-space-resources).\n| **Note:** The roles described in this section do not give Space members the ability to deploy or undeploy API proxies or shared flows. To allow Space members to manage deployments, set an IAM policy at the Apigee environment or Google Cloud project level granting the `apigee.environment.admin` role to the Space member.\n\nIf you have a more complex scenario, or would like to understand how usage of Spaces changes the IAM permission hierarchy,\nsee [IAM permission hierarchy in Apigee Spaces](/apigee/docs/api-platform/system-administration/spaces/iam-permission-hierarchy-spaces).\n\n### Permissions required to create and manage Apigee Spaces\n\nNew permissions have been added to IAM to enable the creation and management of Spaces,\nas described in the following table. Apigee users assigned the `apigee.admin` role\nwill have the required permissions to create and manage a Space in an Apigee organization.\n\nView Space resources in Google Cloud console\n--------------------------------------------\n\nTo view API resources associated with Spaces using the Apigee UI,\nusers must be granted a custom role: `apigee.spaceConsoleUser`.\n| **Note** : This role should be granted to users at the Google Cloud project level using IAM and *not* at the Space level.\n\nFor more information on using the UI to view and manage\nAPI resources in Spaces, see [Manage API resources in Apigee Spaces](/apigee/docs/api-platform/system-administration/spaces/manage-space-resources).\n\nCheck to ensure that this custom role is granted to\nany user who wants to use Apigee in Cloud console to view and manage Space resources. If the `apigee.spaceConsoleUser` role is\nnot already available in IAM for your users, ask your organization administrator to add the\nrole for the organization's Google Cloud project.\n\nThe administrator can create the role using the following command: \n\n```scdoc\ngcloud iam roles create apigee.spaceConsoleUser \\\n --project=\"PROJECT_ID\" \\\n --title=\"Apigee Space Console User\" \\\n --description=\"Apigee Space Console User\"\\\n --permissions=\"apigee.entitlements.get,apigee.organizations.get,apigee.organizations.list,apigee.projectorganizations.get,resourcemanager.projects.get,apigee.spaces.list,apigee.spaces.get,apigee.deployments.list,apigee.environments.list,apigee.environments.get,apigee.envgroups.list,apigee.envgroupattachments.list,apigee.instances.list,apigee.apps.list\" \\\n --stage=GA\n```\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the name of the Google Cloud project where the Apigee organization was created.\n\nView and assign roles using IAM in the Google Cloud console\n-----------------------------------------------------------\n\nYou can confirm the role assignments and permissions granted to Space members and organization administrators at the Google Cloud project level using IAM in the Google Cloud console.\n\n#### To check for the roles\n\n1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=project)\n2. Select the project.\n3.\n In the **Principal** column, find all rows that identify you or a group that\n you're included in. To learn which groups you're included in, contact your\n administrator.\n\n4. For all rows that specify or include you, check the **Role** column to see whether the list of roles includes the required roles.\n\n#### To grant the roles\n\n1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=project)\n2. Select the project.\n3. Click person_add **Grant access**.\n4.\n In the **New principals** field, enter your user identifier.\n\n This is typically the email address for a Google Account.\n\n5. In the **Select a role** list, select a role.\n6. To grant additional roles, click add **Add\n another role** and add each additional role.\n7. Click **Save**.\n\nTo check for the IAM policies applied at the Space level, see [Manage members and roles in a Space](/apigee/docs/api-platform/system-administration/spaces/create-spaces#members-roles)."]]
