Managing Permissions

This section explains how permissions work across different products and APIs managed from the Anypoint Plaform.


This page assumes that you have an Organization Administrator role in your organization, that you have been assigned as the administrator of one of the business groups of your Organization, or that you have API Version Owner permissions and that you want to manage user permissions for an API version, a business group or the entire organization.

How Permissions Work in the Anypoint Platform

In the Anypoint Platform, users belong to an organization and have a set of roles and permissions.

Each role contains a list of permissions that define what a user that holds that role can do with the specific resources it scopes.
Certain Roles come with a set of default permissions. As an Organization Administrator, you can create your customized roles and assign the permissions you see fit, or, depending on the product, you can add permissions directly to a specific user, without the need for roles.

Understanding Permissions

Depending on the amount of products you have in the Anypoint Platform, you’ll see a set of default types of permissions in every new organization and business group when first created. There is, however, one distinction to make between the permission types:

  1. Product Permissions

    • Default permissions for each Anypoint Platform product (Runtime Manager, Data Gateway, etc). They are environment specific – they grant you the ability to do something within a particular environment, but not to the entire organization.
      Product permissions can be assigned to custom roles, or to CloudHub roles.

      Access to Exchange is handled through the Exchange Administrators, Exchange Contributors, and Exchange Viewers roles. It is not possible to grant individual Exchange permissions to other roles. Consult the product documentation to learn more about this.
  2. API Permissions

    • Default Permissions for each API managed from the Anypoint Platform. They can be API version specific or they can be extended to all API versions - you can manage user access based on a particular API version, but you cannot extend those permissions to the entire organization. In order to grant users permissions to all APIs, add them to the API Versions Owner and Portals Owner roles.

    • You can assign user permissions to edit or view individual API versions or API portals using the API Version Owner and the Portal Viewer permission.

      These two API permissions grant the same scopes as the API Versions Owner and Portals Viewer roles, but limited to the API and version that you defined.
      Learn about these specific scopes in the roles article.

Since API versions and Products deployment environments are grouped under organizations (and optionally under business groups too), to access them you need to have an account that owns the necessary permissions and that belongs to its corresponding organization or business group (if such resource exists).

Roles that are assigned at the master organization level can only reference resources that are at the master organization level, roles that belong to a business group can only reference resources within that business group.

A user that owns any role of a business group is implicitly granted membership in that business group.
Once a user belongs to a business group within an organization, the only way to assign entitlements to that same user in a different business group is by assigning it a role within that second business group.