Roles and Permissions
Roles and permissions overview
Roles specify what users can see and do in the Hub given certain contexts. In other words, roles define what Enterprise Hub functionality is available to each user in each situation. Roles in RapidAPI enable your enterprise to specify fine-tuned control over things like performing administrative tasks, creating organizations and creating APIs. This is known as role-based access control.
There are four role types:
- Environment User role - Applies to the user across the Hub environment. For example, a user's Environment User role may allow a user to create organizations.
- Organization User role - Applies to the user in a particular organization. This role is used to identify Organization Administrators.
- Team User role - Applies to developers on a team. Team User roles can be used to prevent certain developers from viewing app keys or from editing APIs and apps. Organization Administrators automatically have all Team User role permissions.
- Organization role - This role is assigned to an organization itself. It specifies whether members of the organization can create and publish APIs in the organization. This role could be used for partner organizations that do not contain any APIs, but consume APIs in other organizations.
Each role type contains a set of roles. Each role contains a set of permissions. For example, most users in the Enterprise Hub will be assigned the "Default User" Environment User role. A few users will be assigned the "Admin" Environment User role (making them Environment Admins). This role contains the same permissions as the "Default User" role, but adds a permission enabling the ability to access the Admin Panel.
Using roles, users can be granted the following permissions:
- access to the Admin Panel
- access to the Organization Dashboard
- the ability create organizations
- the ability to use the Provider Dashboard (My APIs)
- the ability to create or modify APIs
- the ability to use the Developer Dashboard (My Apps)
- the ability to create or modify apps
- the ability to see App keys
- the ability to use a Personal Context for APIs
Details on each of these permissions are discussed below.
Each user is assigned one Environment User role, one Organization User role for each organization they are a member of, and one Team User role for each team they are a member of.
Each organization is assigned one Organization role.
Unless otherwise specified, default roles will be assigned.
Environment Admins can create different roles of each role type and select the permissions that apply to each role. Roles can be assigned using the user interface (as described in this page), by using the ROLES group of the Platform API, or configured via a directory service integration.
To configure roles in your Enterprise Hub, navigate to the Admin Panel, expand the Enterprise Settings dropdown, and select the Roles and Permissions tab.
Details on configuring and using each of the four types of roles follow.
1. Environment User roles
To configure Environment User roles, select the User Roles button on the Roles and Permissions page, then select the Environment tab.
For each Environment User role, the following permissions can be granted:
Permission | Description |
---|---|
Personal Context Access Provider Dashboard | Specifies whether the user has a personal account for applications and APIs. If enabled, the user sees Personal Account as an option in the context dropdown when working with APIs. Some enterprises may choose to disable personal accounts at the Enterprise Hub scope in order to better manage the APIs of the Enterprise Hub. In this case, the user would only have access to applications and APIs from team contexts. If the Access Provider Dashboard checkbox is also selected, the user has access to the Studio (or the older Provider Dashboard) and can create and publish (make public) APIs in their personal account. |
Create Organization | The ability of the user to create organizations. |
Admin Panel Access | Access to the Admin Panel, which is used to administer the Enterprise Hub. This access is usually limited to Environment Admins. |
By default, there are two Environment User roles:
- Default User (the default setting) - Standard users added to the Enterprise Hub do not have the last permission defined above (Admin Panel Access).
- Admin - Users added to this role have all of the permissions defined above. A user with this role is an Environment Administrator.
Default roles
New users are automatically given the default role unless otherwise specified. You can edit the permissions in the default role, but you can not delete the default role.
Creating and modifying Environment User roles
To add an Environment User role, click Add a User Role, enter the role name and description and select the desired permissions.
To edit an existing Environment User role, click Edit associate with the role and modify the settings as desired.
Example Environment User role - Create Org
Let's say that an enterprise would like to allow only a few users the ability to create organizations, without assigning them the Environment Admin role. An Environment Admin can edit the User role (as seen above) and deselect the Create Organization permission. They can then create a role named something like "Create Org". This role will have Create Organization permission, but not Admin Panel Access permission. Then Environment Admins can add users to the Create Org role as needed.
Assigning Environment User roles to users
All users belong to the default Environment User role unless an Environment Administrator changes this setting in the Admin Panel (or the user's role is changed programmatically). Navigate to the user's details and select the appropriate role in the Role within Environment dropdown, as shown here:
2. Organization User roles
To see the two "hard-coded" Organization User roles, select the User Roles button on the Roles and Permissions page, then select the Organization tab.
Organization User roles can not be configured. For each Organization User role, the following permission can be granted:
Permission | Description |
---|---|
Access Organization Dashboard | If selected, gives the user access to the Organization Dashboard, where Organization administrators can manage their organization. |
There are two Organization User roles by default:
-
Developer - Does not have access to the Organization Dashboard. This is the default role when a user is added to an organization.
-
Admin - The user is an Organization Administrator and can access the Organization Dashboard.
Assigning Organization User roles to users
There are multiple ways that Organization Administrators can assign Organization User roles to users:
-
When inviting teammates to your new organization. (The creator of the organization is automatically an Organization Administrator.)
-
From the Manage Teammates tab of the Organization Dashboard.
-
From the Manage Teams tab of the Organization Dashboard by editing the team details.
-
Programmatically.
Environment Administrators are not automatically members of organizations. Like other users, they must be added and assigned and an Organization User role by Organization Administrators.
3. Team User roles
To configure Team User roles, select the User Roles button on the Roles and Permissions page, then select the Team tab.
For each role, the following permission can be granted:
Permission | Description |
---|---|
View App Keys | Allows the ability to view app keys. Otherwise, the keys are obscured. |
Manage Apps | If the sub-checkbox Manage Apps is selected, the team member can create and edit apps. |
Manage Team Members | Allows the ability to add members to or remove members from the team. |
Manage APIs | Allows the team member add and edit APIs. If this is unchecked, the user can not access Studio and edit APIs. They will receive a 404 error if they try to edit the API. |
Manage Approvals | Allows the team member to perform team-related approvals. If a team member does not have this permission, they will not see any team-related incoming or submitted requests in My APIs Approvals. For example, they will not be able to approve a request to access a plan that requires approval for an API owned by the team. They will also not be able to request to make a private API owned by the team public, or view the status of those requests. |
By default, there is a single Team User role named Team Member. All team members belong to this role by default.
Creating and modifying Team User roles
You can create additional Team User roles by clicking Add a User Role.
To edit an existing Team User role, click Edit associate with the role and modify the settings as desired.
Assigning Team User roles to users
You can specify the Team User roles for users using the Manage Teammates or Manage Teams tabs of the Organization Dashboard. Click Edit for the desired user.
If a user is a member of multiple teams, you can set a Team User role for each team.
4. Organization roles
This role is assigned to an organization itself. It specifies whether members of the organization can create and publish APIs in the organization. This role could be used for partner organizations that do not contain any APIs, but consume APIs in other organizations.
To configure Organization roles, select the Organization Roles button on the Roles and Permissions page. By default, each organization has only one Organization role, and it allows members to create and publish APIs in the organization.
For each role, the following permission can be granted:
Permission | Description |
---|---|
Access Provider Dashboard | If selected, gives users in the Organization access to Studio - Overview in Team contexts within that Organization, where they can create and publish (make public) APIs. |
Creating and modifying Organization roles
To create an Organization role, click Add an Organization Role.
To edit an existing Organization role, click Edit associate with the role and modify the settings as desired.
Example Organization Role - Consumer Org
Let's say that an enterprise wants to enable a partner to consume, but not create or modify APIs. The enterprise can create an Organization Role named something like "Consumer Org" with the Access Provider Dashboard permission unchecked. The enterprise can then create an organization name "Partner X" and assign the "Consumer Org" Organization role to the organization. This organization will not contain any APIs, but can subscribe to APIs in other organizations. Therefore, members of the partner organization can only consume APIs in the Enterprise Hub, not create or modify them.
Assigning Organization roles to organizations
To specify an Organization role for an organization, an Environment Administrator can navigate to the Admin Panel and click Organizations. Click the ID of the organization and select the appropriate value from the Organization Role dropdown, as shown below.
Updated 9 months ago