Solved: Vault Permissions Custom Roles

daniel_biales · 07-27-2016 09:28 AM

Hi,

We have created a bunch of custom roles for our on-prem instance of Apigee Edge. One of our customers wants to create vaults and vault entries. What permissions do I need to assign them so they can do that? If there aren't permissions that can be assigned, then who can create vaults and vault entries? only Org Admins?

anilsr

Great Question @daniel.biales ,

As you know, Apigee Edge platform itself is powered by APIs & same are called as Management APIs in Apigee.

Add Permissions for Resource to a Role , Management APIs gives you the ability to provide permissions to any role including custom role. Unfortunately, Ability to provide these permissions in Apigee Management UI is missing but with above #Api you can achieve same.

See sample API call to provide create vault at org level permission to custom role below,

curl -X POST -H "Authorization: Basic XXXX" -H "Content-Type: application/json" -H  -d '{
 "path" : "/vaults",
 "permissions" : [ "put" ]
}' "https://api.enterprise.apigee.com/v1/organizations/{ORGNAME}/userroles/{customRoleName}/permissions"

Just replace the permissions path, Auth Headers, Path & Permissions as per your need.

Keep us posted if you have any queries. Hope it helps.

View solution in original post

anilsr

Great Question @daniel.biales ,

As you know, Apigee Edge platform itself is powered by APIs & same are called as Management APIs in Apigee.

Add Permissions for Resource to a Role , Management APIs gives you the ability to provide permissions to any role including custom role. Unfortunately, Ability to provide these permissions in Apigee Management UI is missing but with above #Api you can achieve same.

See sample API call to provide create vault at org level permission to custom role below,

curl -X POST -H "Authorization: Basic XXXX" -H "Content-Type: application/json" -H  -d '{
 "path" : "/vaults",
 "permissions" : [ "put" ]
}' "https://api.enterprise.apigee.com/v1/organizations/{ORGNAME}/userroles/{customRoleName}/permissions"

Just replace the permissions path, Auth Headers, Path & Permissions as per your need.

Keep us posted if you have any queries. Hope it helps.

daniel_biales

What is the path for proxies? I know the old documentation used to say /applications/{proxy name} but I wasn't sure if that had changed

anilsr

@daniel.biales , You can find all APIs, API Paths, More details here. Api proxy related apis starts with "/apis/"

daniel_biales

ok cause I was trying to do something like a permission so that a user can only edit APIs that follow a certain naming convention. like "path":"/apis/group-name-*" This pattern seems to work for vault and product permissions but it doesn't work for apis. Do you have any ideas of how to do that for proxies?

anilsr

@daniel.biales , I don't think it supports regular expression like patterns, but you certainly try a specific proxy & let us know if it works. If it works then you have to add all API Proxies. Great idea to post in Ideas section.

daniel_biales

@Anil Sagar

the regular expressions seem to work with Vault and product permissions. I know it works for specific proxy names I was just hoping to do some pattern matching. I will post in Ideas and see if anyone has done this.

anilsr

@daniel.biales , Looks like it's a bug / missing feature since it works for vault & product permissions but not for apis. I will let engineering team know about this. Yep, Go ahead and suggest an idea in ideas section.

daniel_biales

@Anil Sagar here is my idea post https://community.apigee.com/content/idea/29245/regular-expression-based-permissions-for-api-keys.ht...

akoo

Hello all, I wanted to add an important note: encrypted KVMs are here. Details are in our documentation: http://docs.apigee.com/api-services/reference/key-value-map-operations-policy . You now have an option for encrypted data without having to use Node.js.