Contact Free trial Login

Roles

To manage roles and permissions within Anypoint Platform, you must have the Organization Administrators role. To manage user permissions for an API version, you must have the API Versions Owner role.

A role is a set of pre-defined permissions for each product, or feature, within Anypoint Platform. Depending on the product, you can use pre-defined roles with standard permissions, or you can specify your own permissions for each role.

Anypoint Platform provides two types of roles:

  • Default roles: Roles that are created automatically when an organization or business group is created. These roles provide permissions and access to core functionality of Anypoint Platform. You can assign users to default roles, but you can’t delete default roles.

  • Custom roles: You can create and delete custom roles. You can assign users and add permissions to a custom role, as well as associate a custom role with specific Anypoint Platform products. For example, you can create a custom role called "Application Designer" and then grant Design Center permissions to the role so users assigned the Application Designer role can access Design Center.

Roles are business group specific, so ensure that you are in the correct business group for which to manage roles by clicking the menu next to your username on the top-right of the screen.

switch suborg

To access the Roles menu in Access Management:

  1. Sign into your Anypoint Platform account as a user with the Organization Administrators role.

  2. Select the Access Management option from the main page, or click the menu button in the top-left corner.

    anypoint platform nav menu
  3. In the Access Management page, click Roles.

    roles a3471

Default Roles

Default roles are automatically created as part of an organization. Each default role in Anypoint Platform contains a set of pre-defined permissions and scope of actions that enable the user to perform specific actions within the platform.

For more information on permissions in Anypoint Platform, see Managing Permissions.

Default Roles and Permission Scopes

  • API Creators: Enables a user to create and manage an API in Anypoint Platform. Members of the API Creator role can add new APIs to the platform on the API administration page. This role does not grant privileges for Runtime Manager. This role has the following permission scopes:

    • Create/Import an API

  • API Versions Owner: Enables a user to manage, delete, and deprecate any API in the organization. They can edit the portal of any API in the organization. However, this role does not enable a user to create a new version of an existing API. This role has the following permission scopes:

    • Manage any API Version in the organization

    • Delete any API Version in the organization

    • Deprecate any API Version in the organization

    • Edit the Portal of any API version in the organization

  • Audit Log Viewers: Enables a user to access to the UI for the Audit Log under Access Management. This role has the following permission scopes:

  • CloudHub Admin: Provides access to all Runtime Manager functionality. This role has the following permission scopes:

    • Create Applications

    • Delete Applications

    • Download Applications

    • Manage Alerts

    • Manage Application Data

    • Manage Queues

    • Manage Schedules

    • Manage Servers

    • Manage Settings

    • Read Applications

    • Read Servers

  • CloudHub Developer: (Deprecated) Provides access to all Runtime Manager functionality, except organization and billing settings. This role has the following permission scopes:

    • Create Applications

    • Download Applications

    • Manage Alerts

    • Manage Application Data

    • Manage Queues

    • Manage Schedules

    • Manage Settings

    • Read Applications

    • Read Servers

  • CloudHub Support: (Deprecated) Provides read-only access to dashboards, notifications, alerts, logs, and their user settings. This role has the following permission scopes:

    • Read Applications

  • Organization Administrators: Enables a user to edit all versions of all APIs, all registered applications, and all API Portals in Anypoint Platform. Access to the Organization Administration page, where the user can add and manage users and roles, view and edit organization details, access API Manager > Client Applications, access the client ID and client secret for the organization, and customize the theme of the Developer Portal. Members of the Organization Administrators role also inherit the role of API Creator by default. This role has the following permission scopes:

    • Edit developer portal theme settings

    • Request API access terms and conditions

    • Edit portal terms and conditions

    • Set custom policies

    • Manage access of third party applications to an API (Specific to the organization administrator of the Master Business Group)

    • Edit users' email addresses

    • Grant VPC and CloudHub dedicated load balancer permissions

  • Exchange Administrators: Enables a user to manage Exchange Portals, including customization, manage assets, manage reviews. This role has the following permission scopes:

    • Create content

    • Manage assets

    • Publish, delete, and deprecate content

    • Manage public visibility of assets

    • Customize Exchange portal

  • Exchange Contributors: This role has the following permission scopes:

    • Create content

    • Manage own content and versions

    • Manage own reviews, including the ability to add, edit, and delete

  • Exchange Viewers: Enables a user to view and consume Exchange assets. This role has the following permission scopes:

    • View and consume Exchange assets

    • Manage own reviews, including the ability to add, edit, and delete

  • Portals Viewer: (Deprecated in API Manager 2.0) The ability to view an API Portal does not automatically give a user access to the API. You cannot grant Portal Viewer permissions unless the API has an API Portal. This role has the following permission scopes:

    • From the Developer Portal, view API Portals, including private API portals for which they have Portal Viewer permissions

If you are using API Manager 2.0, users with the Portals Viewer role are not able to view private APIs. For API Manager 2.0, assign the user at least the Exchange Viewers role to allow the user access to all Exchange assets within the business group in which you have assigned the permission.
To control access for a single private API, don’t assign the Exchange Viewers role to the user for the business group where the private API resides. Instead, use the share asset feature in Exchange. See Share an Asset. Only users with the Exchange Administrators role can share an asset with another user.

Add Users to a Default Role

To add a user to a role, the user must belong to the same business group as the role.

  1. Sign in to Access Management, then click Roles.

  2. Click the name of the default role.

    Default roles do not have a radial button next to them.

  3. Enter the user’s name in the search box.

  4. Select the user from the drop-down list of results, then click the blue plus sign on the right of the search box.

  5. To change the role’s description:

    1. Click the description.
      The description changes to an editable field.

    2. Enter the new description for the role, then press Enter.

When editing role names and descriptions, use the 'Enter' key to save changes. Clicking outside the text box cancels the edit without saving it.

Custom Roles

As an organization administrator, you can create custom roles by combining API or applications, permissions, and users. Depending on the product to which the role is associated, these options may vary. For example, API roles cannot be removed and their permissions cannot be modified, however you can add a description and add users to that role.

If the only permissions associated with your role are Portal Viewer​, Exchange Viewer​, or ​Application Owner​, then users belonging to this role won’t have access to the organization’s support portal.

Product permissions are specific to a single environment. If you have multiple environments and want to give a role the same permissions on all, you must add these permissions multiple times—​one for each environment.

Create a Custom Role

  1. Click the Roles tab in the left navigation of the Access Management page for your organization.

  2. Click Add role.

  3. Enter a Name and Description for your custom role.
    Your custom role now appears in your list of roles.

  4. Click the name of your new role to assign permissions to it.

After creating a custom role, you can access more information about that role, change its name and description, add permissions to it, or assign this role to specific users.

When editing role names and descriptions, use the 'Enter' key to save changes. Clicking outside the text box cancels the edit without saving it.

Add a User to a Custom Role

After creating a custom role, you can assign users to the role.

  1. Click the Roles tab in the left navigation of the Access Management page for your organization.

  2. Click the name of the custom role to which to add users.

  3. Click the Users tab, then enter a username or email in the search field.

  4. Select the user, then click the + icon.

Assign Permission Scopes to a Custom Role

After creating a custom role, you can assign permissions to the role. If these environments belong to a business group, they are available only when creating a role in that same business group.

  1. Click the Roles tab in the left navigation of the Access Management page for your organization.

  2. Click the name of the custom role to which to add permission scopes.

  3. Click the Permissions tab, then select one of the following tabs:

    • API Manager

    • Visualizer

    • Runtime Manager

    • Design Center

    • Data Gateway

    • MQ

    • Anypoint Monitoring

    • Secrets Manger

    • Tokenization

      Depending on your permissions you may not see all of these options.

  4. Click the Permissions drop-down menu, then select the permissions you want to assign to the custom role.

    The list of available permissions is different for each application.

  5. Click the + icon to add the permissions to the role.

Enable Access to Design Center

After creating a custom role, grant the Design Center Developer permission scope to the custom role to enable access to Design Center.

  1. Click the Roles tab in the left navigation of the Access Management page for your organization.

  2. Click the name of the custom role to which to add users.

  3. Click Permissions, then click Design Center.

    Adding permissions to Design Center
  4. Click the Select Access drop-down, then click the check box next to Design Center Developer.

  5. Click the + icon to add the Design Center Developer permission scope.

Assign API Permissions to a Custom Role

API Manager 1.x

You can associate an API to a custom role. This enables you to create roles that give users access to a specific API.

  1. Click the Roles tab in the left navigation of the Access Management page for your organization.

  2. Click the name of the custom role to which to grant access to an API.

    Custom roles have a radial button next to them.

  3. Click Permissions, then click APIs.

  4. Select an API from the drop-down list.

  5. Select the API version.
    Select All to enable access to all versions of this API.

  6. Select the permission from the drop-down list. You can add the following permissions to an API:

    • API Version Owner

    • Portal Viewer

API Manager 2.x

You can associate environment permissions to the custom role. This enables you to create roles that give users different permissions over environments.

  1. Click the Roles tab in the left navigation of the Access Management page for your organization.

  2. Click the name of the custom role to which to grant access to an API.

    Custom roles have a radial button next to them.

  3. Click Permissions, then click API Manager.

  4. Select an environment from the drop-down list.

  5. Select the permission from the drop-down list. You can add the following permissions to an environment:

    • API Manager Environment Administrator

    • Deploy API Proxy

    • Manage API Alerts

    • Manage APIs Configuration

    • Manage Contracts

    • Manage Policies

    • View API Alerts

    • View APIs Configuration

    • View Contracts

    • View Policies

Role Mapping

You can set up your Anypoint Platform organization so that when a SAML user belongs to certain groups, Anypoint Platform automatically grants certain equivalent roles in your Anypoint Platform organization.

We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used and to tailor advertising. You can read more and make your cookie choices here. By continuing to use this site you are giving us your consent to do this.