Anypoint Access ManagementROLES

Shanky Gupta

Assumptions

This presentation assumes that you have an Organization Administrator role in your organization, or that you have API Version Owner permissions and want to manage user permissions for your API version.

Overview

A role within the Anypoint Platform is a set of pre-defined permissions for each different product within the Platform.Depending on the product, you can find pre-defined roles with their standard permissions, or you can customize your own permissions for each role.

The Access Management section grants you a space in which you can create Roles for the products to which you own the appropriate entitlements.

Default Roles

These are the default roles available in every new organization and business group when first created:

Role Name DescriptionAPI Creators Create and manage API versions in the Anypoint Platform

for APIs.Members of the API Creator role have the ability to add new APIs to the platform on the API administration page.This role grants no permissions on CloudHub.

Portals Viewer Portal Viewers can see a list of the Private API Portals to which they have Portal Viewer permissions from the Developer Portal. They can also click to view those API Portals.Note that the ability to view an API Portal does not automatically give a user access to the API. Also note that you cannot grant Portal Viewer permissions unless the API has an API Portal.

Role Name DescriptionAPI Version Owner API Version Owners can view specific versions of the API that they own.

They inherit Portal Viewer permissions by default for any API Portals that you create for the API versions they own.

Audit Log Viewers Users of this role have access to the UI for the Audit Log under Access Management.

Cloudhub Admin Access to all CloudHub functionality.Cloudhub Developer Access to all CloudHub functionality, except organization and billing

settings.Cloudhub Support Read-only access to dashboards, notifications, alerts, logs, and their

user settings.Organization Administrators

Editing access to all versions of all APIs, all registered applications, and all API Portals in the Anypoint Platform. Access to the Organization Administration page, where they can add and manage users and roles, view and edit organization details, access the client ID and client secret for the organization, and customize the theme of the Developer Portal.Members of the Organization Administrator role also inherit the role of API Creator by default.

Exchange Administrators Approves Exchange artifacts that the contributor creates so that the artifact can be published in Exchange

Exchange Contributors Contributes Exchange artifacts.Exchange Viewers Views Exchange artifacts

* * * IMPORTANT

If you click on a role, you can edit it, change its name or description and add or remove users to it.

The user who first signs up for the Anypoint Platform organization is known as theOrganization Owner. This is not a role but an identifier for this single user, who inherits the Organization Administrator role by default.

When the Organization Owner creates a business-group, it must assign a user as the owner of it. This user holds an Administrator role within that business group by default.

Managing Roles To access

the Roles menu, first make sure you’re in the correct business group (by clicking the menu next to your username on the top-right of the screen), then click the appropriate link in the left menu.

Creating Custom Roles

As an organization administrator, you can create custom roles by combining API resources, permissions, and users. Click the Roles tab in the left navigation of your Organization

Administration page. Click Add role. Enter a Name and Description for your custom role. Your custom role now appears in your list of roles. Click the name of

your new role to assign permissions to it.

Assigning Permissions to Roles

By clicking a role name, you can access more information about that role, change its name and description, add permissions to it, or assign this role to specific users.Depending on the product to which the role is associated, these options may vary. For example, API roles cannot be removed and their permissions cannto be modified, however you can add a description and add users to that role.

Depending on the amount of products you own in the Anypoint Platform, the tabs displayed under the Permissions tab vary as well. Usually it’s one tab per product enabled on your organization.

By default, all Anypoint Platform accounts have API and Runtime Manager permissions.

To add permissions to a role do the following: Make sure you’re in the right business group Pick the Permissions tab Choose the product whose permissions you want to assign If you want to assign API permissions

Start typing your API name in the Select the API resource by name field Select the version of the API. You can also choose all to grant privileges to all versions of the API

you selected Select the API permission you wish to grant.

(API Permissions share the same name as API Roles and they grant the same privileges) If you want to assign Product Permissions:

Type in the name of one of the environments existing in your organization (if these environments belong to a business group, they are only be available when creating a role in that same business group)

Now you are able to select what permissions to grant within that environment. You can also pick Select All to assign all permissions related to that environment to that role.

Click the +  icon to the right to add those permissions to the role

* * * IMPORTANT

Note that product permissions are specific to a single environment, so if you have multiple environments and want to give a role the same permissions on all, you must add these permissions multiple times, one for each environment.

Role Mapping

You can set up your Anypoint Platform organization so that when a SAML user belongs to certain groups, Anypoint Platform automatically grants certain equivalent roles in your Anypoint Platform organization.