Custom Role For User Add/Edit/Delete on the Edge

sartajsisodiya · 06-11-2020 01:35 PM

I wanted to create a custom_role which can add/edit/delete User on the apigee edge. Currently orgadmin role users only can add/remove/delele users on the Edge.

Now I wanted to create a custom_role which can Add/Edit/Update the users on the Edge. This role can be assigned to User Management Team. I tried to create a custom role but no luck yet for these permissions.

I don't wanted to give org_admin role to User Management Team as it has multiple permissions on ORG level and that would be not ideal in our use case.

Any suggestion how we can achieve this ? OR does APIGEE have limitation where only Org_admin role can Add/Edit/Delete the Users on Edge ?

@Dino @Dino-at-Google

dchiesa1

What permissions did you assign to the role?

dchiesa1

It works for me.

I created a role, called "user_admin", and assigned these permissions:

{
  "resourcePermission": [
    {
      "organization": "ORGNAME",
      "path": "/userroles",
      "permissions": [
        "get"
      ]
    },
    {
      "organization": "ORGNAME",
      "path": "/userroles/*",
      "permissions": [
        "get"
      ]
    },
    {
      "organization": "ORGNAME",
      "path": "/userroles/*/users/*",
      "permissions": [
        "get"
      ]
    },
    {
      "organization": "ORGNAME",
      "path": "/userroles/ROLE/users",
      "permissions": [
        "delete",
        "put",
        "get"
      ]
    },
    {
      "organization": "ORGNAME",
      "path": "/userroles/ROLE/users/*",
      "permissions": [
        "put",
        "delete",
        "get"
      ]
    }
  ]
}

Then I added a user to that user_admin role.

Then, authenticated as the user in that role, I was able to add existing users to the role ROLE, via this API call:

curl -i -H 'Content-type: application/x-www-form-urlencoded' \
 -H 'Authorization: ***=' \
 -X POST \
'https://api.enterprise.apigee.com/v1/o/ORGNAME/userroles/ROLE/users?id=person@example.com'

I was not able to do the "add user to role" from the UI. There is some logic in the UI That blocks the display of the user admin page. Not sure why. But anyway you can invoke the Administrative API, and it works.

sartajsisodiya

I tried the same where I was not getting the User/Role tab's on the Edge UI. Let me open the support ticket for the same.

Just wanted to know one point where you said you have assigned a role to the existing user. Is any way where I can assign a role to the new user on the public edge cloud using the API ?

dchiesa1

Is any way where I can assign a role to the new user on the public edge cloud using the API ?

Not as far as I know. If you use Apigee signon , then.... the only way to "add a new user to a role" is to do it through the UI. This flow sends out an invitation in email to the new user's email, and they've got to click through a user agreement in order to signin.

There's an outstanding request to make this capability available through the API. As far as I know, that request is still in the backlog.

"Existing user" means a user that has already signed in at least once to apigee.com .

If you are using SSO, then it's a different story.

sartajsisodiya

OK,

I wanted to assign a role to the new user in my SSO org

curl -H "Content-Type:application/x-www-form-urlencoded"\-u <orgOrSysAdminEmail:pword>-X POST \<br>  https://<ms_IP>:8080/v1/organizations/{org_name}/userroles/{role_name}/users?id=foo@bar.com

But this looks like only for private cloud. How we can achieve the same in public cloud SSO enable ORG ?

https://docs.apigee.com/api-platform/system-administration/adding-global-users