Is it possible to have separate teams in single org that can't touch upon each other's work, through the use of custom roles and permissions?
Although I read otherwise, it seems somewhat possible to use regex expressions to give permisions on specific resources, at least on proxies. But that doesn't to the trick. I don't success in locking down objects to specific subgroup.
Test executed
Create custom role "RoleA"
Add UserA to RoleA
Create custom permissions to manage the "A*" proxies:
POST https://api.enterprise.apigee.com/v1/organizations/<org>/userroles/RoleA/resourcepermissions
{ "resourcePermission" : [
{ "path" : "/applications", "permissions" : [ "get","put" ] },
{ "path" : "/applications/A*", "permissions" : [ "get", "put", "delete" ] },
{ "path" : "/apis", "permissions" : [ "get","put" ] },
{ "path" : "/apis/A*", "permissions" : [ "get", "put", "delete" ] } ] }
Note: docs talks about /applications but nowhere about /apis
As UserA, create proxy "Aproxy" and proxy "Bproxy".
POST https://api.enterprise.apigee.com/v1/organizations/<org>/apis { "name": "Bproxy" }
User A is able to delete proxy "Aproxy", but is not able to delete "Bproxy". Which is good, as hoped.
DELETE https://api.enterprise.apigee.com/v1/organizations/<org>/apis/Bproxy -> 403 Forbidden
But UserA is able to modify proxy "Bproxy", and that is not good.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |