This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

[?]Granular control/CRUD access via roles?

Posted on 11-10-2017 02:06 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi,

Is it possible through the mgmt API to configure custom roles such that people belonging to role X are only able to GET/PUT/DELETE api proxies with a predefined prefix, for example of xxx-* or yyy-* and cannot see/interfere with prefixes not 'assigned' to their roles.

What I am trying to achieve is a process whereby different teams will have different custom roles which are isolated away from other such that they cannot edit another team's api proxies.

I was thinking if we defined something in the role permissions like:

        {
            "organization": "myorg-nonprod",
            "path": "/applications/xxx-*",
            "permissions": [
                "get", "put", "delete"
            ]
        }

It would mean that role would only be able to 'see' API proxies defined with that prefix, etc and also edit/delete.

This isn't working and I was wondering if:

1) This is correct

2) This is possible.

If not, is there any other prescribed process on how to isolate and manage role access to assets within the same org space?

0 3 180
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
kurtkanaskie
Staff
Reply posted on --/--/---- --:-- AM

This can be accomplished, not by prefix, but by creating a custom role for each "team" and then assigning people to those teams.

The trick is to create the team role with the appropriate settings.

Now developers assigned to this team role will only see newly created resources by users in that role.

5916-screen-shot-2017-11-10-at-25726-pm.png

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to kurtkanaskie
Reply posted on --/--/---- --:-- AM

Hi Kurt,

I was about to post earlier to say that it wasn't working, as I had made the changes to the role as per your screenshot above, but even after 10 mins the user could still see the other users' proxies, etc.

However, I assume there is a (significant?) delay before the changes take place as I logged in again this morning and the test user role now cannot see the existing API proxies generated by other non-same role users. So that's cool.

My current hiccup it that the user *can* click the "New Proxy" button and get to the final 'Summary' stage but when I click 'Build and Deploy', it does nothing. I'm assuming I've missing a role permission through the Apigee API Management I'll need to update.

0 Likes

Posted on --/--/---- --:-- AM
kurtkanaskie
Staff
Reply posted on --/--/---- --:-- AM

Hi,

I've noticed that proxies created before the new roles are put in place still show up, because they where not created by the new role.

You could add them manually to the role to get them in alignment.

Check the "Deploy" selection for the environment (center of the screen shot).

Regards,

0 Likes