A user represents an authenticated account that can access an organization and the entities within that organization, such as the environments, API proxies, and keystores.
To add a new user to your Apigee organization, you grant access to the user's account, first in the Cloud project and then in the Apigee UI. (This document uses the terms "user" and "user account" interchangeably.)
When you add a new user, you typically:
- In the Console, assign the new user to one or more roles in your Cloud
project. This gives the user broad access to all environments in the organization.
For more information, see Manage access in the Console.
- In the Apigee UI, refine that new user's access by specifying one or more
roles per environment in your Apigee organization.
For more information, see Manage users in the Apigee UI.
About role inheritance
The capabilities that you grant to the user account depend on the type of role that you assign to them. For example, you might assign a developer to the role of API Creator so that they can create API proxies, KVM, and shared flows. For someone that will deploy proxies, you might assign them to the role of Deployer, which grants them the ability to deploy and undeploy API proxy revisions. For details about all Apigee roles, see Apigee roles.
Additionally, the resources that a user can access based on their role depends on where you assigned the role:
- Cloud project: If you assign a role in the Console (on the Cloud project), then the user can access all Apigee resources—all environments and resources within those environments—in that role. This is because the Cloud project is the parent of the Apigee UI in the resource hierarchy; the permissions set on the parent (the Cloud project) are inherited by all children (environments). You can refine this access by specifying user roles on a per environment basis in the Apigee UI.
- Environment access: If you assign a role in the Apigee UI, the user only acts as that role for the selected environment. This assignation supersedes settings at the Cloud project level. However, these role assignments are for the selected environments only—role assignments for all other environments continue to inherit the Cloud project's settings.
The following image shows how inheritance works with this access model:
When you add a specific role to a user at one of these levels, the user has access to all resources below that level in that role by default. Because an environment is considered a resource underneath the Cloud project, permissions set on the Cloud project apply to all environments unless you specify more fine-grained permissions on the environment in the Apigee UI.
For example, if you define a user as an API Creator on the Cloud project only and don't specify per-environment roles in the Apigee UI, then that user will have access—as an API Creator— to all environments in your organization.
Apigee recommends that you do the following for each new user account that you add. (When adding "super users" or administrators, this is not necessary.):
- In the Console, add the new user account and select a role that has a minimal set of permissions. For example, set the role of a new user to API Creator.
- In the Apigee UI's Environment Access view, add the user and set the appropriate roles for each environment in the organization as described in Manage users. This lets you apply more fine-grained permissions after you grant the user access to the project in the Console.
To reiterate: To specify that a user should have permissions only to certain environments, grant an appropriate role on the environment in the Apigee UI after adding them to the project in the Console.
About Cloud access control
Access control in Google Cloud Platform is controlled using Cloud Identity and Access Management (Cloud IAM). Cloud IAM lets you set permissions specifying who has what kind of access to which resources in your project.
Users are a type of member, a broad term that refers to an identity that can be granted access to resources. Other types of Cloud members include service accounts, Google groups, and G Suite domains. For more information, see this overview of Cloud Identity and Access Management.