Contact Us 1-800-596-4880

Roles

Roles are now deprecated in favor of the Teams feature, but you can still manage roles using business groups. You grant most roles as permissions instead.

A role is a set of predefined permissions controlling access to each product or feature within Anypoint Platform. Depending on the product, you can use predefined roles with standard permissions, or you can specify your own permissions for each role. Roles are set only for individual users. Use the Teams feature for an access solution that works across business groups.

To manage roles and permissions within Anypoint Platform, you must have the Organization Administrator permission. To manage user permissions for an API version, you must have the API Versions Owner permission.

Anypoint Platform provides two types of roles:

  • Default roles: Roles that are created automatically when an organization or business group is created. These roles provide permissions and access to core functionality of Anypoint Platform. You can assign users to default roles, but you can’t delete default roles.

  • Custom roles: You can create and delete custom roles. You can assign users and add permissions to a custom role, as well as associate a custom role with specific Anypoint Platform products. For example, you can create a custom role called "Application Designer" and then grant Design Center permissions to the role so users assigned the Application Designer role can access Design Center.

Roles are business group specific, so ensure that you are in the correct business group for which to manage roles by clicking the menu next to your username on the top-right of the screen.

Access Roles

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Business Groups.

  4. Click the name of the organization you want to access.

  5. Click the Roles tab.

Default Roles

Default roles are automatically created as part of an organization. Each default role in Anypoint Platform contains a set of pre-defined permissions and scope of actions that enable the user to perform specific actions within the platform.

For more information on permissions in Anypoint Platform, see Managing Permissions.

Default Roles and Permission Scopes

  • API Creators: Enables a user to create and manage an API in Anypoint Platform. Members of the API Creator role can add new APIs to the platform on the API administration page. This role does not grant privileges for Runtime Manager. This role has the following permission scopes:

    • Create/Import an API

  • API Versions Owner: Enables a user to manage, delete, and deprecate any API in the organization. They can edit the portal of any API in the organization. However, this role does not enable a user to create a new version of an existing API. This role has the following permission scopes:

    • Manage any API Version in the organization

    • Delete any API Version in the organization

    • Deprecate any API Version in the organization

    • Edit the Portal of any API version in the organization

  • Audit Log Viewers: Enables a user to access to the UI for the Audit Log under Access Management. This role has the following permission scopes:

  • CloudHub Admin: Provides access to all Runtime Manager functionality. This role has the following permission scopes:

    • Create Applications

    • Delete Applications

    • Download Applications

    • Manage Alerts

    • Manage Application Data

    • Manage Queues

    • Manage Schedules

    • Manage Servers

    • Manage Settings

    • Read Applications

  • CloudHub Developer: (Deprecated) Provides access to all Runtime Manager functionality, except organization and billing settings. This role has the following permission scopes:

    • Create Applications

    • Download Applications

    • Manage Alerts

    • Manage Application Data

    • Manage Queues

    • Manage Schedules

    • Manage Settings

    • Read Applications

    • Read Servers

  • CloudHub Support: (Deprecated) Provides read-only access to dashboards, notifications, alerts, logs, and their user settings. This role has the following permission scopes:

    • Read Applications

  • Organization Administrators: Enables a user to edit all versions of all APIs, all registered applications, and all API Portals in Anypoint Platform. Access to the Organization Administration page, where the user can add and manage users and roles, view and edit organization details, access API Manager > Client Applications, access the client ID and client secret for the organization, and customize the theme of the Developer Portal. Members of the Organization Administrators role also inherit the role of API Creator by default. This role has the following permission scopes:

    • Edit developer portal theme settings

    • Request API access terms and conditions

    • Edit portal terms and conditions

    • Set custom policies

    • Manage access of third-party applications to an API (specific to the organization administrator of the root business group)

    • Edit users' email addresses

    • Grant VPC and CloudHub dedicated load balancer permissions

  • Exchange Administrators: Enables a user to manage Exchange Portals, including customization, manage assets, manage reviews. This role has the following permission scopes:

    • Create content

    • Manage assets

    • Publish, delete, and deprecate content

    • Manage public visibility of assets

    • Customize Exchange portal

  • Exchange Contributors: This role has the following permission scopes:

    • Create content

    • Manage own content, including the ability to add a new version and edit your own version content, but you cannot delete your own version.

    • Manage own reviews, including the ability to add, edit, and delete

  • Exchange Viewers: Enables a user to view and consume Exchange assets. This role has the following permission scopes:

    • View and consume Exchange assets

    • Manage own reviews, including the ability to add, edit, and delete

  • Portals Viewer: (Deprecated in API Manager 2.0) The ability to view an API Portal does not automatically give a user access to the API. You cannot grant Portal Viewer permissions unless the API has an API Portal. This role has the following permission scopes:

    • From the Developer Portal, view API Portals, including private API portals for which they have Portal Viewer permissions

If you are using API Manager 2.0, users with the Portals Viewer role are not able to view private APIs. For API Manager 2.0, assign the user at least the Exchange Viewers role to allow the user access to all Exchange assets within the business group in which you have assigned the permission.
To control access for a single private API, don’t assign the Exchange Viewers role to the user for the business group where the private API resides. Instead, use the share asset feature in Exchange. See Share an Asset. Only users with the Exchange Administrators role can share an asset with another user.

Add Users to a Default Role

To add a user to a role, the user must belong to the same business group as the role.

  1. Log in to Anypoint Platform.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Business Groups.

  4. Click the name of the organization you want to access.

  5. Click the Roles tab.

  6. Click the name of the default role.

    Default roles do not have a radial button next to them.

  7. Enter the user’s name in the search box.

  8. Select the user from the drop-down list of results, then click the blue plus sign on the right of the search box.

  9. To change the role’s description:

    1. Click the description.
      The description changes to an editable field.

    2. Enter the new description for the role, then press Enter.

When editing role names and descriptions, use the 'Enter' key to save changes. Clicking outside the text box cancels the edit without saving it.

Custom Roles

As an organization administrator, you can create custom roles by combining API or applications, permissions, and users. Depending on the product to which the role is associated, these options may vary. For example, API roles cannot be removed and their permissions cannot be modified, however you can add a description and add users to that role.

Product permissions are specific to a single environment. If you have multiple environments and want to give a role the same permissions on all, you must add these permissions multiple times—​one for each environment.

Create a Custom Role

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Business Groups.

  4. Click the name of the organization you want to access.

  5. Click the Roles tab.

  6. Click Add role.

  7. Enter a Name and Description for your custom role.
    Your custom role now appears in your list of roles.

  8. Click the name of your new role to assign permissions to it.

After creating a custom role, you can access more information about that role, change its name and description, add permissions to it, or assign this role to specific users.

When editing role names and descriptions, use the 'Enter' key to save changes. Clicking outside the text box cancels the edit without saving it.

Add a User to a Custom Role

After creating a custom role, you can assign users to the role.

  1. Log in to Anypoint Platform.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Business Groups.

  4. Click the name of the organization you want to access.

  5. Click the Roles tab.

  6. Click the name of the custom role to which to add users.

  7. Click the Users tab, then enter a username or email in the search field.

  8. Select the user, then click the + icon.

Assign Permission Scopes to a Custom Role

After creating a custom role, you can assign permissions to the role. Some permissions within a role can be applied to specific environments. If these environments belong to a business group rather than the root organization, they are available only when creating a role in that same business group.

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Business Groups.

  4. Click the name of the organization you want to access.

  5. Click the Roles tab.

  6. Click the name of the custom role to which to add permission scopes.

  7. Click the Permissions tab, then select one of the following tabs:

    • API Manager

    • Visualizer

    • Runtime Manager

    • Design Center

    • Data Gateway

    • MQ

    • Anypoint Monitoring

    • Secrets Manger

    • Tokenization

      Depending on your permissions, you might not see all of these options.

  8. Click the Permissions drop-down menu, then select the permissions you want to assign to the custom role.

    The list of available permissions is different for each application.

  9. Click the + icon to add the permissions to the role.

Enable Access to Design Center

After creating a custom role, grant the Design Center Developer, Design Center Viewer, or Design Center Creator permission scope to the custom role to enable access to Design Center.

  1. Log in to Anypoint Platform.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Business Groups.

  4. Click the name of the organization you want to access.

  5. Click the Roles tab.

  6. Click the name of the custom role to which to add users.

  7. Click Permissions, then click Add permissions.

  8. In the Design Center section, next to each permission you want to grant the user, select the checkbox.

  9. Click Next and then click Add permissions to add the permission.

Assign API Permissions to a Custom Role

API Manager 1.x

You can associate an API to a custom role. This enables you to create roles that give users access to a specific API.

  1. Log in to Anypoint Platform.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Business Groups.

  4. Click the name of the organization you want to access.

  5. Click the Roles tab.

  6. Click the name of the custom role to which to grant access to an API.

    Custom roles have a radial button next to them.

  7. Click Permissions, then click APIs.

  8. Select an API from the drop-down list.

  9. Select the API version.
    Select All to enable access to all versions of this API.

  10. Select the permission from the drop-down list. You can add the following permissions to an API:

    • API Version Owner

    • Portal Viewer

API Manager 2.x

You can associate environment permissions to the custom role. This enables you to create roles that give users different permissions over environments.

  1. Log in to Anypoint Platform.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Business Groups.

  4. Click the name of the organization you want to access.

  5. Click the Roles tab.

  6. Click the name of the custom role to which to grant access to an API.

    Custom roles have a radial button next to them.

  7. Click Permissions, then click API Manager.

  8. Select an environment from the drop-down list.

  9. Select the permission from the drop-down list. You can add the following permissions to an environment:

    • API Manager Environment Administrator

    • Deploy API Proxy

    • Manage API Alerts

    • Manage APIs Configuration

    • Manage Contracts

    • Manage Policies

    • View API Alerts

    • View APIs Configuration

    • View Contracts

    • View Policies

Role Mapping

You can set up your Anypoint Platform organization so that when a SAML user belongs to certain groups, Anypoint Platform automatically grants certain equivalent roles in your Anypoint Platform organization.

Migrate Roles to Teams

After you opt in to the Teams feature, you can convert existing roles into permissions, convert roles to teams, or merge roles with teams.

When you convert or merge a role, the role is deleted.

Convert a Role to Permissions

When you convert roles to permissions, users keep the same permissions that they previously received with roles.

When you convert a role to permissions, the users that belonged to the role are no longer grouped according to their permissions and must be managed individually. Additionally, roles that can now be applied as (or converted to) permissions, such as the Exchange Contributors permission, can be managed only while you are using the Teams feature.
  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Business Groups.

  4. Click the name of the organization you want to access.

  5. Click the Roles tab.

  6. Next to the role that you want to convert, click the …​ menu.

  7. Click Convert to permissions…​.

  8. Click Convert to Permissions.

    The users who previously had the role are granted the same permissions that the role granted them, and the role is deleted.

Convert a Role to a Team

When you convert a role to a team, you create a new team that contains the users who previously held the converted role. The team you create also inherits permissions from the parent team under which you create it.

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Business Groups.

  4. Click the name of the organization you want to access.

  5. Click the Roles tab.

  6. Next to the role that you want to convert, click the …​ menu.

  7. Click Convert to team…​.

  8. Enter a name for your new team.
    You can use alphanumeric characters, hyphens, and spaces in your team name.

  9. Select a parent team.
    Note that the team you are creating also inherits permissions from the parent team that you select.

  10. Click Convert to Team.

    The users who previously had the role are added to a new team that has the same permissions as those granted by the role, and the role is deleted. Any external names formerly associated with the role are associated with the new team.

Merge a Role with a Team

When you merge a role with a team, the users that previously had the role keep the permissions granted by that role and also obtain permissions included in the team they have joined.

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Business Groups.

  4. Click the name of the organization you want to access.

  5. Click the Roles tab.

  6. Next to the role that you want to convert, click the …​ menu.

  7. Click Merge with team…​.

  8. Select the team with which you want to merge the members who have the role.

  9. Click Merge with Team.

    The users who previously had the role are added to the selected team along with the role permissions, and the role is deleted. Any external names formerly associated with the role are associated with the selected team.

View Limits for a Role

Each role has a Limits section that shows how close it is to hitting limits imposed by Anypoint Platform. Note that this feature is available only if you are using the new Access Management user interface.

To view limits:

  1. In the Access Management navigation menu, click Business Groups.

  2. Click the name of the organization you want to access.

  3. Click the Roles tab.

  4. Click the role for which you want to view limits.

  5. Click the Limits tab.

For more information on limits in Access Management, see Limits.