Benefits of multiple organisations in Edge

Report Inappropriate Content · 06-21-2017 12:28 AM

What are the main benefits of multiple organisations in Apigee Edge? Is it the fact that different orgs can have different role based access controls and also that the traffic of individual orgs is isolated from the other (e.g. volume test in one doesn't impact the other). Does each organisation have its own message processor and message router instances?

DChiesa

First, let me apologize for my appalling spelling. I was born in the USA and cannot help but spell the word "organization" with a Z.

What are the main benefits of multiple organisations in Apigee Edge?

The Organization is the security domain for an Apigee Edge tenant. Administrative Users or Operators are granted access to one or more Organizations.

Is it the fact that different orgs can have different role based access controls?

Maybe. That's one part of it. RBAC can allow you "finer-grained" control over who can do what, within an organization. Create or deploy proxies, create or edit API Products, view or create reports, and so on. (You know all this I guess). But the organization provides the "course grained" separation. An example: If my Edge user account has the "read-only administrator" roll within an organization named "org1", obviously I will be able to see proxies, products, virtual hosts, KVMs, reports, and other users in that org. On the other hand, my user, lacking any role in "org2" will not be able to see any of those things in a second org, nor will I even be aware that the "org2" organization exists. This illustrates the "coarse grained" access control versus "fine grained" access control.

and also that the traffic of individual orgs is isolated from the other (e.g. volume test in one doesn't impact the other)?

Not exactly. You may have an unfounded assumption.

Does each organisation have its own message processor and message router instances?

Nope. Not always. The Organization is the security domain for an Apigee Edge tenant. Organization boundaries apply to administrative actions, not runtime behavior. It is possible for a single message processor server to be mapped to two or more Apigee Edge organizations. Runtime traffic for both distinct orgs would then be handled by the same MP.

If you deal with Apigee Edge SaaS, then Apigee ops people are the ones who provision the MPs to organizations. Sometimes the MP is mapped to all environments within a single org, sometimes an MP is mapped to a single environment in a single org, sometimes an MP is mapped to multiple environments in multiple orgs. If you are dealing with the "self managed" Apigee Edge - where you install and operate it (aka OPDK, etc) - then you have full control over this mapping.

rtalanki

Apigee Edge is a multi-tenant system. You can use the same Message Processors and serve multiple customers. This gives the added benefit of separating traffic, users and other constructs between organizations. Depending on your scenario multi-org can be used in different ways.

For volume tests you can either use multiple orgs or multiple environments, to keep the traffic away from your production traffic. You can leverage these benefits better if you have an on-prem installation. If you are on the managed cloud platform, then you do not have to worry about this.

If there is a specific question then do share here.

Report Inappropriate Content

1. If we subscribe to the 'One Org SaaS API gateway', are we able to get different MPs for prod vs non-prod so that we can safely run performance, volume and security tests in non-prod. Or do I need multiple orgs to achieve this in the SaaS?

2. Within a single org, can we use RBAC to allow API developers to create and deploy proxies in non-prod environments but not in prod?

DChiesa

Yes, you can get distinct VMs in the SaaS offering for non-prod and prod, for a single org, if you want. You need to purchase the "Transaction Isolation Pack".

Yes, in a single org, you can use RBAC to allow some developers to deploy in prod and non-prod, and allow other developers to deploy only in non-prod.