RBAC for KVM for a given environment

Hi,

I wanted to grant access to a Custom Role to Create/Update/Delete KVMs for only to given KVM in a given Apigee environment only (like Dev).

Scenario is: Once the Apigee Org Admin creates a KVM and grants the Custom Role the permission to that KVM, the developer (associated to the Custom Role) can then add/update/delete Key/Value pairs in that KVM as he or she needs for their proxy development purposes, without Org Admin becoming the bottleneck; but at the same time, limiting their access to other Apigee environment like Test or Prod.

Is there a way to do that?

I tried the following (by specifying the Environment & KVM in the ResourcePermission); but its not limiting the access to 'test' region as specified for the specified role, developer is able to list key-value pairs in Prod region as well.

curl -u "{Org_Admin_EMailId}:{Org_Admin_Password}" -i -n -k -X POST -H content-type:application/xml -H accept:application/xml "https://api.enterprise.apigee.com/v1/o/{Org_Name}/userroles/{Custom_Role_Name}/permissions" -d '<ResourcePermission path="/environments/test/keyvaluemaps/{KVM_Name}"><Permissions><Permission>get</Permission><Permission>put</Permission><Permission>delete</Permission></Permissions></ResourcePermission>' 

Thanks,

Aneesh.

Solved Solved
1 2 432
1 ACCEPTED SOLUTION

Hi Aneesh,

Your permissions for this custom role allow PUT and DELETE as well as GET to the KVMs in the test region.

But your statement is:

developer is able to list key-value pairs in Prod region as well.

You refer here specifically to listing KVM. a GET operation. That is as expected. I think most users can perform GET on the KVM.

Did you try PUT and DELETE in the prod environment? Results?

View solution in original post

2 REPLIES 2

Hi Aneesh,

Your permissions for this custom role allow PUT and DELETE as well as GET to the KVMs in the test region.

But your statement is:

developer is able to list key-value pairs in Prod region as well.

You refer here specifically to listing KVM. a GET operation. That is as expected. I think most users can perform GET on the KVM.

Did you try PUT and DELETE in the prod environment? Results?

Thanks Dino. You are right!