This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Environment based roles

Posted on 08-19-2016 12:05 PM
Not applicable
Reply posted on --/--/---- --:-- AM

We're rolling out a new company org with Dev, Test, and Prod environments and would like to limit access to the Prod environment while adopting best practices, naming conventions, etc.

The goal is to provide developers with the ability to create, deploy, and test proxies (User + Operations Administrator roles) in the Dev/Test environments and give read-only access (Read-only Organization Administrator role) in production.

However, it appears that roles can't be segmented by environment without creating custom roles. We have 100's of developers and APIs which makes the creation/mgmt of custom roles cumbersome at best.

We've thought of two ways to address the issue but neither is clean. The first is by creating two orgs - one for Dev, Test and the other for prod which will let us use Apigee's native roles to achieve the seperation. The second involves building a role management console which could take advantage of custom roles while hiding the complexity.

Has anyone done something similar or solved in a different manner?

Thanks,

Allen

1 2 1,058
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hello @Allen.Rodgers,

I would handle the requirement in following way:

OPTION A (If you wanted to have two separate Orgs Dev and Prod)

1. Associate the developers with the OOB Org Admin role in Dev Org.

2. Create a custom role with Read Only (Select only view option) Access for Prod Org. Associate the Developers with this custom role. If needed, you can even further drill down to providing this read only option to selected APIs as well.

OPTION B (If you wanted to have one Org with two different envs Dev and Prod)

1. Associate the developers with the OOB Org Admin role in Dev env.

2. Create a custom role with Read Only (Select only view option) Access for Prod env. Associate the Developers with this custom role. If needed, you can even further drill down to providing this read only option to selected APIs as well.

Hope this helps.

Posted on --/--/---- --:-- AM
Not applicable
In response to
Reply posted on --/--/---- --:-- AM

Hi @MEGHDEEP BASU -

Thanks for your reply. We would like to avoid having two separate orgs if possible. However, Apigee Edge roles (including custom) are not aware of environments unless you tie it to specific proxies. In addition, If a user has multiple roles assigned, the greater permission takes precedence.

This means that the custom role route will lead to 1000's of custom roles (# of proxies * # of developers * # of environments) which make the administrative of it impossible.

0 Likes