Contact Us 1-800-596-4880

Users

As an administrator of your root organization, you can enable, disable, or delete users.

By selecting the checkbox next to a user, additional options related to that user appear:

  • Enable: Enables the disabled users in the selected organization or business group.

  • Disable: Disables the users in the selected organization or business group so that they’re no longer able to sign in.

  • Delete: When deleting from the root organization, all of the user’s permissions are removed, and the user becomes unattached. When deleting from a business group, all of the user’s permissions for only the selected business group are removed. The deleted user’s data resides in the organization for audit logging purposes.

Before You Begin

Before getting started, ensure that you have:

  • The Organization Administrator permission

  • The API Version Owner permission if you plan to manage user permissions for your API version

Inviting a User to Anypoint Platform

This feature is not available in Anypoint Platform Private Cloud Edition, Government Cloud, or for organizations that use external identity providers for single sign-on (SSO) and have disabled account creation. You must manage users, including invitations for new users, through your third-party IdP or LDAP.

As an organization administrator of a root organization, you can invite new users and manage existing users for your organization.

To invite new users to your organization:

  1. In the Access Management navigation menu, click Users.

  2. Click Invite user.

  3. Enter the email addresses of the users that you want to invite to your organization as a comma-separated list.

  4. Optionally, select a team or role (deprecated) to assign permissions to these users.

  5. Click Send Invitation.

The users you specify receive email invitations to join your organization. Invited users must use the link they receive in the invitation to join your organization. When they click the link, they are presented with a sign-up form that already has the Company field completed with the name of your organization.

Note that the email link expires in one week.

Invited users have access to the same set of resources as you (although they may have different permissions that can restrict what they can view or do).

Resending or Canceling a Sent Invitation

Click Pending Invites to view all invitations that have not yet been accepted. Select the ones you need to manage, and click Re-send Invite or Cancel Invite.

Grant Permissions to Users

Organization administrators manage user access using teams or roles (deprecated), or by granting permissions to users individually. Note that teams and roles functionality are mutually exclusive.

In the Users page, click a user name to access more information about that user, manage and view permissions, manage and view teams or roles, or reset their password.

By default, in every new organization and business group, you can assign the following:

  • Assign API permissions: Select the name of the API you want to give access to, then pick a version and permission.

  • Assign Runtime Manager permissions: Select the name of the Runtime Manager environment to give access to, then pick a permission.

  • Assign teams: Select the name of the team to give access to.

  • Assign roles (deprecated): Select the name of the role to grant. Check the roles section for a description of the default roles within an organization and business group.

In the legacy roles user interface, roles and permissions are grouped under organizations (and also, optionally, under business groups). This means that you can only assign roles and permissions that are related to resources that exist in the organization and/or business group that you are selecting.

If necessary, you can also remove user permissions, but note that if those permissions are granted through an assigned team or role, you can remove them only by using the teams or Roles functionality respectively. You cannot view or remove team-based or role-based permissions in the Users page.

Because the Roles feature is deprecated, it is best to opt in to the Teams feature by selecting Try New Features to manage permissions in a hierarchy.

You can use the legacy roles interface or the Teams feature to grant permissions to an individual user.

To grant permissions to an individual user in the legacy roles interface:

  1. Sign in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Users.

  4. Click the username of the user to which you want to assign permissions.

  5. In the Permissions section, click the product to which you want to assign permissions.

  6. In the Permission(s) section, in the Select access field, select the permissions that you want assign and then click +.

  7. If you selected a product to which you can assign permissions to an environment, in the Environment field, select the permissions that you want to assign and then click +.

    The user now has the permissions you selected.

To grant permissions to an individual user with the Teams feature enabled:

  1. Sign in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Users.

  4. Click the name of the user to which you want to assign permissions.

  5. Click the Permissions tab.

  6. In the Permissions section, click Add permissions.

    The Add Permissions window appears.

  7. In the Select Permissions section, select the permissions that you want to add and then click Next.

  8. In the Select Business Groups section, select the business groups to which you want to apply the permissions. If you selected a permission that enables you to select environments, you can select which environments to apply to the permission. Click Next.

    In the Review section, review the permissions and the business groups and environments to which they apply.

  9. Click Add Permissions.

    The user now has the permissions you selected in the business groups and environments you specified.

View Limits for a User

Each administrative page for a user contains a Limits section that shows how close the account is to hitting limits imposed by Anypoint Platform.

To view limits:

  1. In the Access Management navigation menu, click Users.

  2. Click the user for which you want to view limits.

  3. Click the Limits tab.

The number of permissions used might include internal permissions granted automatically by the system, which are not always visible in the UI.

For more information on limits in Access Management, see Limits.

Managing Deleted Users

When you delete a user from your root organization, the user is soft deleted. This user can no longer access the root organization or business groups but maintains an Anypoint Platform account and can later be associated with another organization. Anypoint Platform maintains a record of such users for the purposes of audit logs.

Deleting a user does not affect the assets created by that user. For instance, deleting a user who has created an API in Exchange, an API in API Manager, or an application in Runtime Manager does not have any impact on the assets they created.

If an Anypoint Platform user that was removed from an organization tries to log in to their former organization, the login request fails, with a Your credentials are not valid error message.

An organization administrator can invite the user to join the same organization again, but the user must create a new username. If the user tries to log in with their old account, the sign up request fails, stating Cannot create user. User already exists.

If a deleted federated user tries to log in, the login request fails, with a This user is disabled error message, but the user still appears in the organization as a disabled account. An organization administrator can re-enable this user.

Managing External Users of Your Public APIs

When you make an API portal public, users from any other Anypoint Platform organization can register client applications to call your API. When these users log in to your public developer portal, they are considered external users because they are outside of your organization.

When a user logs into Anypoint Platform for the first time, they are automatically added to the External Users tab. From the External Users tab in Access management, you can view a list of all external users. You can also enable or disable each of these external users from this screen. When you disable an external user, they can no longer log in to your public portal.

You cannot search for external users in other parts of Anypoint Platform because these users do not belong to your organization and do not have additional permissions. To grant users permission to perform tasks like deploying an application, you must invite the user to join your organization.

Managing Sensitive Account Information

As an organization administrator, you can modify some sensitive user information. For enhanced security, Access Management might ask you to reauthenticate before you can modify an organization user’s email address. Connected apps and clients are exempt from reauthentication. If you have a script that makes an API call to change an organization user’s email addresses, it might need to accommodate reauthentication.

Access Management prompts you to reauthenticate under the following conditions:

  • If more than 30 minutes have elapsed since you entered your password, Access Management prompts you to reenter your password.

  • If you have multi-factor authentication (MFA) enabled and more than eight hours have elapsed since you entered your password and used MFA, Access Management prompts you to reenter your password and confirm the signin using MFA.

Each time you sign in or reauthenticate, the timer resets. If less than 30 minutes have elapsed since you signed in, Access Management does not prompt for your password again.