Getting started

You're viewing Apigee X documentation.
View Apigee Edge documentation.

This section explains how to get started using Advanced API Security.

Required roles

The table below shows the required roles to perform tasks related to Security Reports.

Security Report Task Required Role(s)
Enable or disable Advanced API Security Apigee Organization Admin (roles/apigee.orgAdmin)
Create and view reports Apigee Organization Admin (roles/apigee.orgAdmin)
Apigee Security Admin (roles/apigee.securityAdmin)
View reports Apigee Security Viewer (roles/apigee.securityViewer)
Apigee Security Admin (roles/apigee.securityAdmin)

The table below shows the required roles to perform tasks related to security scores.

Security Scores Task Required Role(s)
Attach or detach a profile Apigee Security Admin (roles/apigee.securityAdmin)
Apigee Organization Admin (roles/apigee.orgAdmin)
View scores Apigee Security Admin (roles/apigee.securityAdmin)
Apigee Security Viewer (roles/apigee.securityViewer)
Apigee Organization Admin (roles/apigee.orgAdmin)

Enable Advanced API Security in an organization

To use Advanced API Security, you must enable it in your organization. To do so, you must first obtain an OAuth 2.0 access token. You can then enable Advanced API Security using an API call that passes the access token.

View the current add-ons configuration

Before enabling Advanced API security, check to see whether is already enabled by making the following API call:

curl "https://apigee.googleapis.com/v1/organizations/YOUR_ORG" \
  -X GET \
  -H "Content-type: application/json" \
  -H "Authorization: Bearer $TOKEN"

where YOUR_ORG is the name of your organization and $TOKEN is the environment variable for an OAuth access token. This returns basic information about your organization, which includes a section for Apigee add-ons that begins with the line:

"addonsConfig": {

Check to see whether this section contains an entry that begins with "apiSecurityConfig", like the following example:

"apiSecurityConfig": {
          "enabled": "true"
      }

If this entry is present, Advanced API Security is already enabled in the organization. If not, you need to enable it as described next.

Enable Advanced API Security

To enable Advanced API Security in the organization with the default configuration, issue a POST request like the one shown below.

curl "https://apigee.googleapis.com/v1/organizations/ORG:setAddons" \
  -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-type: application/json" \
  -d '{
    "addonsConfig": {
      "apiSecurityConfig": {
          "enabled": "true"
      }
      <Current add-ons configuration>
    }
  }'

where <Current add-ons configuration> is the current add-ons configuration. You can find the current add-ons configuration in the response to the call to view the current add-ons configuration. For example, if the current add-ons configuration is

"addonsConfig": {
    "integrationConfig": {
        "enabled":"true"
     },
    "monetizationConfig": {
        "enabled":"true"
     }
  },

the command to enable Advanced API Security would be

curl "https://apigee.googleapis.com/v1/organizations/YOUR_ORG:setAddons" \
  -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-type: application/json" \
  -d '{
    "addonsConfig": {
      "apiSecurityConfig": {
          "enabled": "true"
      },
    "integrationConfig": {
          "enabled": "true"
      },
    "monetizationConfig": {
          "enabled": "true"
      }
    }
  }'

After you send the request, you will see a response like the following:

{
  "name": "organizations/apigee-docs-d/operations/0718a945-76e0-4393-a456-f9929603b32c",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.apigee.v1.OperationMetadata",
    "operationType": "UPDATE",
    "targetResourceName": "organizations/apigee-docs-d",
    "state": "IN_PROGRESS"
  }
}

To see whether Advanced API Security is enabled, send the request described in View the current add-ons configuration.

For more information, see the Configure organization add-ons API.

Once you have enabled Advanced API Security, take a look at the following sections:

Disabling Advanced API Security in your organization

If for some reason you need to disable Advanced API Security in your organization, you can do so by issuing a POST request, passing the add-ons configuration in your request body, as shown below.

curl "https://apigee.googleapis.com/v1/organizations/$ORG:setAddons" \
  -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-type: application/json" \
  -d '{
    "addonsConfig": {
      "apiSecurityConfig": {
          "enabled": "false"
      }
     <Include current add-ons configuration>
    }
  }'

The following provides an example of the response showing that the operation is in progress:

{
  "name": "organizations/$ORG/operations/06274ffb-8940-41da-836d-781cba190437",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.apigee.v1.OperationMetadata",
    "operationType": "UPDATE",
    "targetResourceName": "organizations/$ORG",
    "state": "IN_PROGRESS"
  }
}

For more information, see the Configure organization add-ons API.