Organization Security/Roles

Manage security roles associated with an organization on the API platform.

Table of Contents

How do I manage security for my organization?

The API platform allows you to assign one or more specific roles to users.

All roles defined in the underlying Policy Manager infrastructure, either for the root organization or for the current business organization, are available to be assigned to users in your organization.

This accommodates many use cases and allows you to assign rights to create, view, modify, and delete resources in your organization, to a very fine level of granularity. You can control user access rights to a much more detailed level than the Developer, API Admin, Business Admin, and Site Admin roles supported in versions of the API platform prior to version 8.3.

You can assign access roles to specific users in your organization via the Security page. See How do I assign security roles to users for my organization? below.

You can also add roles. Currently, new roles must be added in Policy Manager, and are then available for selection in the API Platform UI. Roles added at the root organization level are available for all organizations; you can also add one or more roles for a specific organization, and they are available only for that organization.

For information on adding roles in Policy Manager, refer to the Policy Manager help.

How do I assign security roles to users for my organization?

You can assign access roles to specific users in your organization, via the organization's Security page.

To assign security roles to users

  1. In the Community Manager developer portal, go to the Organizations List (see To access the Organizations List).
  2. Find your organization on the list, and then click the title to view the Details page for the organization.
  3. On the left navigation bar, choose Security. In the right pane, the Role Memberships page, all roles currently available to the organization are displayed. An example is shown below.

    Security role memberships

  4. On the list, find the role you want to assign, and click the Edit (pencil) icon to the right. The {role name} - Users page has two panes:
    • Left pane has a search bar to help you identify one or more users you want to assign the role to.
    • Right pane lists users currently assigned to the role.
  5. In the left pane, enter search criteria at the top, and then click Go, to locate users.
  6. To assign the user to the role, click Assign.
  7. When done, click Save.

What are the default roles for the API platform?

In the Community Manager developer portal, you can manage roles for the platform users who are part of your business organization, as explained in How do I assign security roles to users for my organization? above.

The summary below gives you the basic definition for each of the default roles. Note that your platform implementation might already include some customization of roles, in the underlying infrastructure. The definitions below are the defaults.

Default roles

2FA-exempt users
A user who is exempt from platform 2FA verification. Even if two-factor authentication is required for platform users, it is not required for users with this role assigned.
API Administrator
Responsible for managing APIs for the organization. The API Admin has full permission for operations relating to all APIs in the organization, including adding, modifying, and deleting APIs, API versions, and API implementations.
API Administrator and API Admin are the same role.
Note: A user assigned the API Administrator role in the context of a business organization, who is not invited to a specific API, does not have permission to manage API Admins, such as adding or removing other API Admins. Only a user invited to a specific API has those permissions. For details, see What API management capabilities are available to the API Admin in the platform?
API Approver
Responsible for approving APIs for publishing.
API Developer
API Developers have read-only access to the API.
API Owner
Responsible for adding an API. In a scenario where a basic platform user cannot add APIs, a user who is assigned the role of API Owner can add APIs. The user who creates the API becomes the first API Admin.
API Platform Users
Users who have signed up for the Community Manager developer portal by creating an account, or have been added by a Site Admin and have then activated the account.
App Team Member
Responsible for managing an app. Each app team member has full permission for operations relating to the app, including adding, modifying, and deleting apps and app versions as well as adding or removing other app team members.
Business Administrator
Responsible for managing all aspects of a business set up on the API Platform. For details, see What functions are available to the Business Administrator on the platform?
Developer
Responsible for registering and building web services. This role is used by the underlying infrastructure, not by the Community Manager developer portal. Do not assign or change this role in the Community Manager developer portal.
Federation Member
A member of a tenant federation, in a scenario where federation is in effect for the platform implementation.
Group Administrator
Has full administrator rights for the specific group; for example, can add, remove, promote, or demote any group member, and can delete the group. For details, see What can a group Admin do?
Group Leader
Has Group Leader rights; for example, can promote or demote Group Members and other Group Leaders. For details, see What can a group Leader do?
Group Member
Has Group Member rights; for example, can invite others to join the group. For details, see What can a group Member do?
Guest
An anonymous user who is using the Community Manager developer portal without logging in. Guests have view-only access to public content. If an API is set to allow anonymous access (depends on API implementation settings), the anonymous user can test the API in Test Client.
Infrastructure Manager
Responsible for installing containers, virtualizing services, and deploying services to containers. This role is used by the underlying infrastructure, not by the Community Manager developer portal. Do not assign or change this role in the Community Manager developer portal.
LC Administrator
Has Administrator rights (full add/modify/delete/read permission) for all Lifecycle Coordinator functionality.
LC User
Has permission for general use of Lifecycle Coordinator functionality.
Model Administrator
Responsible for managing model objects in the Model Library. For more information, see What are the duties of the Model Administrator?
Model Designer
Responsible for designing model objects in the Model Library. For more information, see What are the duties of the Model Designer?
Operation Manager
Responsible for developing security and monitoring policies and assigning them to services and organizations.
Organization Administrator
Responsible for adding, modifying, and deleting organizations and managing services, policies, and containers within a Policy Manager organization (underlying infrastructure). Do not assign or change this role in the Community Manager developer portal. To allow a user to modify organizations in the Community Manager developer portal, assign the Business Administrator role.
Policy Administrator
Responsible for adding, modifying and deleting policies within an organization.
Provision Manager
Responsible for approving app/API contracts in any scenario where approval is required (depends on API implementation settings).
Security Administrator
Responsible for granting access to the Workbench for an organization, to users and user groups. This role is used by the underlying infrastructure, not by the Community Manager developer portal. Do not assign or change this role in the Community Manager developer portal.
Site Administrator
Responsible for managing many site administration tasks for the Community Manager developer portal, such as configuration settings, the Site Admin team, and the platform developer agreement. For details, see What functions are available to the Site Administrator in the platform?
Tenant Business Administrator
Responsible for managing the APIs within the entire tenant installation.
Tenant Manager
Has full rights and permissions to manage the tenant installation.

Use case: creating a custom role with Monitor permission only

You might want to create a custom role so that certain users can have Monitor permission, to view an API's analytics information, without those users being able to view and modify private APIs unless invited.

You can do this, but you must define the new role in Policy Manager, the underlying infrastructure for the Community Manager developer portal.

When you follow the steps, you can create a role that:

  • Cannot edit APIs
  • Cannot view private APIs unless specifically invited to have visibility of the API
  • Can monitor analytics for all APIs

For instructions to create this custom role, see Use case: creating a custom role with Monitor permission only (Policy Manager documentation). The use case information includes instructions for assigning the role to users in Policy Manager, but you can also assign the role in the Community Manager developer portal: see How do I assign security roles to users for my organization? above.