Free MuleSoft CONNECT Keynote & Expo Pass Available!

Register now+
Nav

Roles

This topic describes how use roles to manage permissions within Anypoint Platform. This topic assumes that you have an Organization Administrator role in your organization or that you have API Versions Owner permissions and want to manage user permissions for an API version.

A role is a set of pre-defined permissions for each product component within Anypoint Platform. Depending on the product, you can use pre-defined roles with standard permissions, or you can specify your own permissions for each role. You can assign individuals to a role, or you can assign a role to another role.

Anypoint Platform provides two types of roles:

  • Default roles: roles that are created automatically when an organization or business group is created. These roles provide permissions and access to core functionality of Anypoint Platform. You can modify default roles by assigning users or other roles. However, you cannot delete a default role.

  • Custom roles: roles that a user can create, customize, and delete. You can assign users or roles to a custom role. You can also associate a custom role to a specific application. For example, you can create a custom role called Application Designer and assign that role to the Design Center application. This enables users assigned the Application Designer role to access the Design Center application.

To access the Roles menu in Access Management, ensure that you are in the correct business group by clicking the menu next to your username on the top-right of the screen.

roles-a3471

Default Roles

Default roles are roles that are created by default within an Organization.

To Edit a Default Role

You can edit a role by changing its name, description, or by adding users to the role.

  1. Login to Access Management, then click Roles.

  2. Click the name of the default role you want to edit.

    Default roles do not have a radial button next to them.

  3. To add a user to the role, enter their name in the search box.

When editing Role names and/or descriptions, use the 'Enter' key to save changes. Clicking outside the text box cancels the edit without saving it.

List of Default Roles and Permission Scopes

The following are the default roles that are automatically created as part of an organization. Each default Role in Anypoint Platform contains a set of pre-defined permissions and scope of actions that enable the user to perform specific actions within the platform.

For more information on permissions in Anypoint Platform, see Managing Permissions.

  • API Creators: Enables a user to create and manage API versions in the Anypoint Platform for APIs. Members of the API Creator role have the ability to add new APIs to the platform on the API administration page. This role does not grant privileges for Runtime Manager. This role has the following permission scopes:

    • Create/Import an API Version

  • Portals Viewer: Enables a user to view a list of the Private API Portals to which they have Portal Viewer permissions from the Developer Portal. They can also click to view those API Portals. The ability to view an API Portal does not automatically give a user access to the API. You cannot grant Portal Viewer permissions unless the API has an API Portal. This role has the following permission scopes:

    • View API Portal

  • API Versions Owner: Enables a user to manage, delete, and deprecate any API in the organization. They can edit the portal of any API in the organization. This role has the following permission scopes:

    • Manage any API Version in the organization

    • Delete any API Version in the organization

    • Deprecate any API Version in the organization

    • Edit the Portal of any API version in the organization

  • Audit Log Viewers: Enables a user to access to the UI for the Audit Log under Access Management. This role has the following permission scopes:

  • Cloudhub Admin: Provides access to all Runtime Manager functionality. This role has the following permission scopes:

    • Create Applications

    • Delete Applications

    • Download Applications

    • Manage Alerts

    • Manage Application Data

    • Manage Queues

    • Manage Schedules

    • Manage Servers

    • Manage Settings

    • Read Applications

    • Read Servers

  • Cloudhub Developer: (Deprecated) Provides access to all Runtime Manager functionality, except organization and billing settings. This role has the following permission scopes:

    • Create Applications

    • Download Applications

    • Manage Alerts

    • Manage Application Data

    • Manage Queues

    • Manage Schedules

    • Manage Settings

    • Read Applications

    • Read Servers

  • Cloudhub Support: (Deprecated) Provides read-only access to dashboards, notifications, alerts, logs, and their user settings. This role has the following permission scopes:

    • Read Applications

  • Organization Administrators: Enables a user to edit to all versions of all APIs, all registered applications, and all API Portals in the Anypoint Platform. Access to the Organization Administration page, where they can add and manage users and roles, view and edit organization details, access API Manager > Client Applications, access the client ID and client secret for the organization, and customize the theme of the Developer Portal. Members of the Organization Administrator role also inherit the role of API Creator by default. This role has the following permission scopes:

    • Edit Developer portal theme settings

    • Request API access terms & conditions

    • Edit Portal Terms and Conditions

    • Set Custom Policies

    • Manage access of third party applications to an API (Specific to the Organization Administrator of the Master Business Group)

    • Edit users email address

    • Grant VPC and CloudHub dedicated Load Balancer permissions

  • Exchange Administrators: Manage Exchange Portal Enables a user to manage Exchange Portals, including customization, manage assets, manage reviews. This role has the following permission scopes:

    • Create content

    • Manage assets

    • Publish/Delete/Deprecate content

    • Manage asset public visibility

    • Customize Exchange portal

  • Exchange Contributors: Enables a user to contribute Exchange assets and This role has the following permission scopes:manage versions. This role has the following permission scopes:

    • Create content

    • Manage own content/versions

    • Manage own reviews - Add/Edit/Delete

  • Exchange Viewers: Enables a user to view and consume Exchange assets. This role has the following permission scopes:

    • View and consume Exchange assets

    • Manage own reviews - Add/Edit/Delete

Custom Roles

As an organization administrator, you can create custom roles by combining API or applications, permissions, and users. Depending on the product to which the role is associated, these options may vary. For example, API roles cannot be removed and their permissions cannot be modified, however you can add a description and add users to that role.

If the only permissions associated with your role are Portal Viewer​, *Exchange Viewer​ and/or ​Application Owner​, then users belonging to this role won’t have access to the organization’s support portal.

Product permissions are specific to a single environment. If you have multiple environments and want to give a role the same permissions on all, you must add these permissions multiple times, one for each environment.

To Create a Custom Role

  1. Click the Roles tab in the left navigation of your Organization Administration page.

  2. Click Add role.

  3. Enter a Name and Description for your custom role.

  4. Your custom role now appears in your list of roles. Click the name of your new role to assign permissions to it.

After creating a custom role, you can access more information about that role, change its name and description, add permissions to it, or assign this role to specific users.

When editing Role names and/or descriptions, use the 'Enter' key to save changes. Clicking outside the text box cancels the edit without saving it.

To Add a User to a Custom Role

After creating a custom role, you assign users to the role.

  1. From Access Management, select Roles.

  2. Click the name of the custom role where you want to add users.

  3. Click the Users tab, then enter a username or email in the search field.

  4. Select the user, then click the + icon.

To Assign Permission Scopes for an Application to a Custom Role

After creating a custom role, you can assign permissions to the role. If these environments belong to a business group, they are only available when creating a role in that same business group

  1. From Access Management, select Roles.

  2. Click the name of the custom role where you want to add permission scopes.

  3. Click the Permissions tab, then select one of the following tabs:

    • Runtime Manager

    • MQ

    • Data Gateway

      Depending on your permissions you may not see all of these options.

  4. Click the Permissions drop-down menu, then select the permissions you want to assign to the custom role.

    The list of available permissions is different for each application.

  5. Click the + icon to add the permissions to the role.

To Enable Access to the Design Center Application

After creating a custom role, you can enable access to the Design Center application by granting the Design Center Developer permission scope to the custom role.

  1. From Access Management, select Roles.

  2. Click the name of the custom role where you want to add users.

  3. Click Permissions, then click Design Center.

    Adding permissions to Design Center
  4. Click the Select Access drop-down, then click the check box next to Design Center Developer.

  5. Click the + icon to add the Designer Center Developer permission scope.

To Assign API Permissions to a Custom Role

You can also associate an API or an Anypoint application to the custom role. This enables you to create roles that give users access to a specific API.

  1. From Access Management, select Roles.

  2. Click the name of the custom role you want to grant access to an API.

    Custom roles have a radial button next to them.

  3. Click Permissions, then click APIs.

  4. Select an API from the drop-down list.

  5. Select the API version. Select All to enable access to all versions of this API.

  6. Select the permission from the drop-down list. You can add the following permissions to an API:

    • API Version Owner

    • Portal Viewer

Role Mapping

You can set up your Anypoint Platform organization so that when a SAML user belongs to certain groups, Anypoint Platform automatically grants certain equivalent roles in your Anypoint Platform organization.