Contact Us 1-800-596-4880
  1. Homepage
  2. Access Management
  3. Managing Permissions in Anypoint Platform

  4. Roles

Using Roles to Manage Permissions

A role is a set of predefined permissions controlling access to each product or feature within Anypoint Platform. Depending on the product, you can use predefined roles with standard permissions, or you can specify your own permissions for each role. Roles are set only for individual users. Use the Teams feature for an access solution that works across business groups.

To manage roles and permissions within Anypoint Platform, you must have the Organization Administrator permission. To manage user permissions for an API version, you must have the API Versions Owner permission.

Anypoint Platform provides two types of roles:

  • Default roles: Roles that are created automatically when an organization or business group is created. These roles provide permissions and access to core functionality of Anypoint Platform. You can assign users to default roles, but you can’t delete default roles.

  • Custom roles: You can create and delete custom roles. You can assign users and add permissions to a custom role, as well as associate a custom role with specific Anypoint Platform products. For example, you can create a custom role called "Application Designer" and then grant Design Center permissions to the role so users assigned the Application Designer role can access Design Center.

Roles are business group specific, so make sure you’re in the correct business group when managing roles by clicking the menu next to your username.

Access Roles

  1. Sign in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. Select Access Management from the gear icon menu.

  3. In the Access Management navigation menu, select Business Groups.

  4. Select the name of the organization to access.

  5. Select the Roles tab.

Default Roles

Default roles are automatically created as part of an organization. Each default role in Anypoint Platform contains a set of pre-defined permissions and scope of actions that enable the user to perform specific actions within the platform.

For more information on permissions in Anypoint Platform, see Managing Permissions.

Default Roles and Permission Scopes

  • API Creators: Enables a user to create and manage an API in Anypoint Platform. Members of the API Creator role can add new APIs to the platform on the API administration page. This role doesn’t grant privileges for Runtime Manager. This role has the following permission scopes:

    • Create/Import an API

  • API Versions Owner: Enables a user to manage, delete, and deprecate any API in the organization. They can edit the portal of any API in the organization. However, this role doesn’t enable a user to create a new version of an existing API. This role has the following permission scopes:

    • Manage any API Version in the organization

    • Delete any API Version in the organization

    • Deprecate any API Version in the organization

    • Edit the Portal of any API version in the organization

  • Audit Log Viewers: Enables a user to access the UI for the Audit Log under Access Management. This role has the following permission scopes:

  • CloudHub Admin: Provides access to all Runtime Manager functionality. This role has the following permission scopes:

    • Create Applications

    • Delete Applications

    • Download Applications

    • Manage Alerts

    • Manage Application Data

    • Manage Queues

    • Manage Schedules

    • Manage Servers

    • Manage Settings

    • Read Applications

  • CloudHub Developer: (Deprecated) Provides access to all Runtime Manager functionality, except organization and billing settings. This role has the following permission scopes:

    • Create Applications

    • Download Applications

    • Manage Alerts

    • Manage Application Data

    • Manage Queues

    • Manage Schedules

    • Manage Settings

    • Read Applications

    • Read Servers

  • CloudHub Support: (Deprecated) Provides read-only access to dashboards, notifications, alerts, logs, and their user settings. This role has the following permission scopes:

    • Read Applications

  • Organization Administrators: Enables a user to edit all versions of all APIs, all registered applications, and all API Portals in Anypoint Platform. Access to the Organization Administration page, where the user can add and manage users and roles, view and edit organization details, access API Manager > Client Applications, access the client ID and client secret for the organization, and customize the theme of the Developer Portal. Members of the Organization Administrators role also inherit the role of API Creator by default. This role has the following permission scopes:

    • Edit developer portal theme settings

    • Request API access terms and conditions

    • Edit portal terms and conditions

    • Set custom policies

    • Manage access of third-party applications to an API (specific to the organization administrator of the root business group)

    • Edit users' email addresses

    • Grant VPC and CloudHub dedicated load balancer permissions

  • Exchange Administrators: Enables a user to manage Exchange Portals, including customization, manage assets, manage reviews. This role has the following permission scopes:

    • Create content

    • Manage assets

    • Publish, delete, and deprecate content

    • Manage public visibility of assets

    • Customize Exchange portal

  • Exchange Contributors: This role has the following permission scopes:

    • Create content

    • Manage own content, including the ability to add a new version and edit your own version content, but you can’t delete your own version.

    • Manage own reviews, including the ability to add, edit, and delete

  • Exchange Viewers: Enables a user to view and consume Exchange assets. This role has the following permission scopes:

    • View and consume Exchange assets

    • Manage own reviews, including the ability to add, edit, and delete

  • Portals Viewer: (Deprecated in API Manager 2.0) The ability to view an API Portal doesn’t automatically give a user access to the API. You can’t grant Portal Viewer permissions unless the API has an API Portal. Users with this role can view API Portals from the Developer Portal, including private API portals where they have Portal Viewer permissions.

If you’re using API Manager 2.0, users with the Portals Viewer role aren’t able to view private APIs. For API Manager 2.0, assign the user at least the Exchange Viewers role to allow the user access to all Exchange assets within the business group where you assigned the permission.
To control access for a single private API, don’t assign the Exchange Viewers role to the user for the business group where the private API resides. Instead, use the share asset feature in Exchange. See Share an Asset. Only users with the Exchange Administrators role can share an asset with another user.

Add Users to a Default Role

To add a user to a role, the user must belong to the same business group as the role.

  1. Sign in to Anypoint Platform.

  2. Select Access Management from the gear icon menu.

  3. In the Access Management navigation menu, select Business Groups.

  4. Select the name of the organization to access.

  5. Select the Roles tab.

  6. Click the name of the default role.

    Default roles don’t have a radial button next to them.

  7. Enter the user’s name in the search box.

  8. Select the user from the drop-down list of results, then click the blue plus sign on the right of the search box.

  9. To change the role’s description:

    1. Click the description.

      The description changes to an editable field.

    2. Enter the new description for the role, then press Enter.

When editing role names and descriptions, use the 'Enter' key to save changes. Clicking outside the text box cancels the edit without saving it.

Custom Roles

As an organization administrator, you can create custom roles by combining APIs or applications, permissions, and users. Available options vary by product. For example, API roles can’t be removed and their permissions can’t be modified, but you can add a description and assign users to the role.

Product permissions are specific to a single environment. If you have multiple environments and want to give a role the same permissions on all, you must add these permissions multiple times—​one for each environment.

Create a Custom Role

  1. Sign in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. Select Access Management from the gear icon menu.

  3. In the Access Management navigation menu, select Business Groups.

  4. Select the name of the organization to access.

  5. Select the Roles tab.

  6. Click Add role.

  7. Enter a Name and Description for your custom role.
    Your custom role now appears in your list of roles.

  8. Click the name of your new role to assign permissions to it.

After creating a custom role, you can access more information about that role, change its name and description, add permissions to it, or assign this role to specific users.

When editing role names and descriptions, use the 'Enter' key to save changes. Clicking outside the text box cancels the edit without saving it.

Add a User to a Custom Role

After creating a custom role, you can assign users to the role.

  1. Sign in to Anypoint Platform.

  2. Select Access Management from the gear icon menu.

  3. In the Access Management navigation menu, select Business Groups.

  4. Select the name of the organization to access.

  5. Select the Roles tab.

  6. Click the name of the custom role to add users to.

  7. Click the Users tab, then enter a username or email in the search field.

  8. Select the user, then click the + icon.

Assign Permission Scopes to a Custom Role

After creating a custom role, you can assign permissions to the role. Some permissions within a role can be applied to specific environments. If these environments belong to a business group rather than the root organization, they’re available only when creating a role in that same business group.

  1. Sign in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. Select Access Management from the gear icon menu.

  3. In the Access Management navigation menu, select Business Groups.

  4. Select the name of the organization to access.

  5. Select the Roles tab.

  6. Click the name of the custom role to add permission scopes to.

  7. Select the Permissions tab, and click Add Permissions.

  8. Select the permissions to add and click Next.

    The list of Permissions includes all permissions, even if they are already assigned to users. If you add a permission that’s already assigned, there is no effect.

  9. Select which environments to apply the permission to if it’s enabled for the permission.

  10. Click Next.

  11. Review the permissions and environments they apply to, and then click Add Permissions.

    The permissions you selected now apply to the members of the role and appear in the Permissions section for the role.

Enable Access to Design Center

After creating a custom role, grant the Design Center Developer, Design Center Viewer, or Design Center Creator permission scope to the custom role to enable access to Design Center.

  1. Sign in to Anypoint Platform.

  2. Select Access Management from the gear icon menu.

  3. In the Access Management navigation menu, select Business Groups.

  4. Select the name of the organization to access.

  5. Select the Roles tab.

  6. Click the name of the custom role you want to add users to.

  7. Click Permissions, then click Add permissions.

  8. In the Design Center section, next to each permission you want to grant the user, select the checkbox.

  9. Click Next and then click Add permissions to add the permission.

Assign API Permissions to a Custom Role

API Manager 1.x

You can associate an API to a custom role. This enables you to create roles that give users access to a specific API.

  1. Sign in to Anypoint Platform.

  2. Select Access Management from the gear icon menu.

  3. In the Access Management navigation menu, select Business Groups.

  4. Select the name of the organization to access.

  5. Select the Roles tab.

  6. Click the name of the custom role to grant API access to.

    Custom roles have a radial button next to them.

  7. Click Permissions, then click APIs.

  8. Select an API from the drop-down list.

  9. Select the API version.
    Select All to enable access to all versions of this API.

  10. Select the permission from the drop-down list. You can add the following permissions to an API:

    • API Version Owner

    • Portal Viewer

API Manager 2.x

You can associate environment permissions to the custom role. This enables you to create roles that give users different permissions over environments.

  1. Sign in to Anypoint Platform.

  2. Select Access Management from the gear icon menu.

  3. In the Access Management navigation menu, select Business Groups.

  4. Select the name of the organization to access.

  5. Select the Roles tab.

  6. Click the name of the custom role to grant API access to.

    Custom roles have a radial button next to them.

  7. Click Permissions, then click API Manager.

  8. Select an environment from the drop-down list.

  9. Select the permission from the drop-down list. You can add the following permissions to an environment:

    • API Manager Environment Administrator

    • Deploy API Proxy

    • Manage API Alerts

    • Manage APIs Configuration

    • Manage Contracts

    • Manage Policies

    • View API Alerts

    • View APIs Configuration

    • View Contracts

    • View Policies

Role Mapping

You can set up your Anypoint Platform organization so that when a SAML user belongs to certain groups, Anypoint Platform automatically grants certain equivalent roles in your Anypoint Platform organization.

Migrate Roles to Teams

After you opt in to the Teams feature, you can convert existing roles into permissions, convert roles to teams, or merge roles with teams.

When you convert or merge a role, the role is deleted.

Convert a Role to Permissions

When you convert roles to permissions, users keep the same permissions that they previously received with roles.

When you convert a role to permissions, the users who previously belonged to the role are no longer grouped according to their permissions and must be managed individually. Additionally, roles that can now be applied as (or converted to) permissions, such as the Exchange Contributors permission, can be managed only while you’re using the Teams feature.

  1. Sign in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. Select Access Management from the gear icon menu.

  3. In the Access Management navigation menu, select Business Groups.

  4. Select the name of the organization to access.

  5. Select the Roles tab.

  6. Next to the role that you want to convert, click the …​ menu.

  7. Click Convert to permissions…​.

  8. Click Convert to Permissions.

    The users who previously had the role are granted the same permissions that the role granted them, and the role is deleted.

Convert a Role to a Team

When you convert a role to a team, you create a new team that contains the users who previously held the converted role. The team you create also inherits permissions from the parent team you create it under.

  1. Sign in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. Select Access Management from the gear icon menu.

  3. In the Access Management navigation menu, select Business Groups.

  4. Select the name of the organization to access.

  5. Select the Roles tab.

  6. Next to the role that you want to convert, click the …​ menu.

  7. Click Convert to team…​.

  8. Enter a name for your new team.
    You can use alphanumeric characters, hyphens, and spaces in your team name.

  9. Select a parent team.
    The team you’re creating also inherits permissions from the parent team you select.

  10. Click Convert to Team.

    The users who previously had the role are added to a new team that has the same permissions as those granted by the role, and the role is deleted. Any external names formerly associated with the role are associated with the new team.

Merge a Role with a Team

When you merge a role with a team, the users who previously had the role keep the permissions granted by that role and also obtain permissions included in the team they have joined.

  1. Sign in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. Select Access Management from the gear icon menu.

  3. In the Access Management navigation menu, select Business Groups.

  4. Select the name of the organization to access.

  5. Select the Roles tab.

  6. Next to the role that you want to convert, click the …​ menu.

  7. Click Merge with team…​.

  8. Select the team to merge the role members with.

  9. Click Merge with Team.

    The users who previously had the role are added to the selected team along with the role permissions, and the role is deleted. Any external names formerly associated with the role are associated with the selected team.

View Limits for a Role

Each role has a Limits section that shows how close it is to hitting limits imposed by Anypoint Platform. This feature is available only in the new Access Management user interface.

To view limits:

  1. In the Access Management navigation menu, select Business Groups.

  2. Select the name of the organization to access.

  3. Select the Roles tab.

  4. Click the role with the limits you want to view.

  5. Click the Limits tab.

For more information on limits in Access Management, see Limits.

See Also