Getting started

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

This page explains how to get started using Advanced API Security.

Required roles

The following sections describe the required roles to perform tasks using Advanced API Security.

Required roles for security reports

The table below shows the required roles to perform tasks related to security reports.

Security Report Task	Required Role(s)
Enable or disable Advanced API Security	Apigee Organization Admin (roles/apigee.admin)
Create and view reports	Apigee Organization Admin (roles/apigee.admin) Apigee Security Admin (roles/apigee.securityAdmin)
View reports	Apigee Security Viewer (roles/apigee.securityViewer) Apigee Security Admin (roles/apigee.securityAdmin)

Required roles for risk assessment

The table below shows the required roles to perform tasks related to risk assessment.

Risk Assessment Task	Required Role(s)
Create, update, or delete a custom security profile	Apigee Security Admin (roles/apigee.securityAdmin) Apigee Organization Admin (roles/apigee.admin)
Attach or detach a security profile	Apigee Security Admin (roles/apigee.securityAdmin) Apigee Organization Admin (roles/apigee.admin)
View security scores	Apigee Security Admin (roles/apigee.securityAdmin) Apigee Security Viewer (roles/apigee.securityViewer) Apigee Organization Admin (roles/apigee.admin)
List all security profiles or get a profile	Apigee Security Admin (roles/apigee.securityAdmin) Apigee Security Viewer (roles/apigee.securityViewer) Apigee Organization Admin (roles/apigee.admin)

Required roles for abuse detection

The table below shows the required roles to perform tasks related to abuse detection.

Abuse Detection Task	Required Role(s)
View incidents in the Abuse detection UI	Apigee Security Admin (roles/apigee.securityAdmin) Apigee Security Viewer (roles/apigee.securityViewer) Apigee Organization Admin (roles/apigee.admin)

Required roles for security actions

The table below shows the required roles to perform tasks related to security actions.

Security Action Task	Required Role(s)
Create security actions	Apigee Security Admin (roles/apigee.securityAdmin) Apigee Organization Admin (roles/apigee.admin)
Update security actions configuration	Apigee Security Admin (roles/apigee.securityAdmin) Apigee Organization Admin (roles/apigee.admin)
View or list security actions	Apigee Security Admin (roles/apigee.securityAdmin) Apigee Security Viewer (roles/apigee.securityViewer) Apigee Organization Admin (roles/apigee.admin)
Check the state of enforcement	Apigee Security Admin (roles/apigee.securityAdmin) Apigee Security Viewer (roles/apigee.securityViewer) Apigee Organization Admin (roles/apigee.admin)

Manage Advanced API Security for Subscription organizations

To use Advanced API Security as a Subscription customer, you must enable it in your organization, as described in the following sections:

• Get your Apigee add-ons configuration
• Enable Advanced API Security for Subscription organizations

If you are unsure whether you are using a Subscription or Pay-as-you-go Apigee organization, contact your Apigee organization administrator.

Get your Apigee add-ons configuration

In order to enable Advanced API Security for your Subscription organization, you first need to get your current Apigee add-ons configuration, using the following API call. This will also tell you whether Advanced API Security is already enabled.

curl "https://apigee.googleapis.com/v1/organizations/ORG" \
  -X GET \
  -H "Content-type: application/json" \
  -H "Authorization: Bearer $TOKEN"

where

• ORG is the name of your organization.
• $TOKEN is the environment variable for an OAuth access token.

This call returns basic information about your organization, including a section for your Apigee add-ons configuration that begins with the line:

"addonsConfig": {

Check to see whether this section contains the following entry:

"apiSecurityConfig": {
          "enabled": true
      }

If so, Advanced API Security is already enabled in the organization. Otherwise, you need to enable it, as described next.

Enable Advanced API Security for Subscription organizations

To enable Advanced API Security in a Subscription organization with the default configuration, issue a POST request like the one shown below.

curl "https://apigee.googleapis.com/v1/organizations/ORG:setAddons" \
  -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-type: application/json" \
  -d '{
    "addonsConfig": {
      "apiSecurityConfig": {
          "enabled": true
      }
      <Other entries of your current add-ons configuration>
    }
  }'

where

• ORG is the name of your organization.
• $TOKEN is the environment variable for an OAuth access token.
• <Other entries of your current add-ons configuration> consists of any other entries of your current Apigee add-ons configuration.

For example, if the current add-ons configuration is

"addonsConfig": {
  "integrationConfig": {
      "enabled":true
  },
  "monetizationConfig": {
      "enabled":true
  }
},

the command to enable Advanced API Security would be

curl "https://apigee.googleapis.com/v1/organizations/ORG:setAddons" \
  -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-type: application/json" \
  -d '{
    "addonsConfig": {
      "apiSecurityConfig": {
          "enabled": true
      },
      "integrationConfig": {
          "enabled": true
      },
      "monetizationConfig": {
          "enabled": true
      }
    }
  }'

After you send the request, you will see a response like the following:

{
  "name": "organizations/apigee-docs-d/operations/0718a945-76e0-4393-a456-f9929603b32c",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.apigee.v1.OperationMetadata",
    "operationType": "UPDATE",
    "targetResourceName": "organizations/apigee-docs-d",
    "state": "IN_PROGRESS"
  }
}

Disable Advanced API Security for Subscription organizations

If for some reason you need to disable Advanced API Security in your Subscription organization, you can do so by issuing a POST request, passing the add-ons configuration in your request body, as shown below.

curl "https://apigee.googleapis.com/v1/organizations/$ORG:setAddons" \
  -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-type: application/json" \
  -d '{
    "addonsConfig": {
      "apiSecurityConfig": {
          "enabled": false
      }
     <Include current add-ons configuration>
    }
  }'

The following provides an example of the response showing that the operation is in progress:

{
  "name": "organizations/$ORG/operations/06274ffb-8940-41da-836d-781cba190437",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.apigee.v1.OperationMetadata",
    "operationType": "UPDATE",
    "targetResourceName": "organizations/$ORG",
    "state": "IN_PROGRESS"
  }
}

For more information, see the Configure organization add-ons API.

Manage Advanced API Security for Pay-as-you-go organizations

If you are a Pay-as-you-go customer, you can enable Advanced API Security as a paid add-on. For more information on enabling the Advanced API Security add-on for your Intermediate or Comprehensive Apigee environments, see Manage the Advanced API Security add-on.

If you are unsure whether you are using a Subscription or Pay-as-you-go Apigee organization, contact your Apigee organization administrator.

Next steps

Once you have enabled Advanced API Security, take a look at the following sections:

• Security reports
• Risk assessment
• Abuse detection
• Security actions