Create a Custom Role
API7 Enterprise starts with a locked-down Super Admin
role and policy granting full access for initial setup. The default admin
account is permanently tied to this role for emergency recovery.
With custom roles, you can create a granular permission system tailored to your specific needs. This tutorial will guide you through the process of defining custom roles in API7 Enterprise, empowering you to manage access control with greater precision.
This tutorial showcases a custom role with view-only access to production gateway group and full access (view & edit) to test gateway group. You will complete the following steps:
- Create two permission policies, one to define the view-only permission to production gateway group, and another to define the full access to test gateway group.
- Create a custom role
Development Team Member
attached to the above two permission policies.
Prerequisites
- Install API7 Enterprise.
- Have two gateway groups for test and production environments with at least one gateway instance in each group.
- Have a published service in both two gateway groups for validation use.
- (Optional) Learn permission policy examples.
Create Permission Policies
Create Production Permission Policy
- Select Organization from the top navigation bar, and then select Permission Policies.
- Click Add Permission Policy.
- From the dialog box, do the following:
In the Name field, enter
production-gateway-group-view-only
.In the Policy Editor field, enter the JSON:
```json
{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id}" // Use gateway group id to match resources
],
"actions": [ // List view permissions to all types of resources in the gateway group.
"gateway:GetGatewayGroup",
"gateway:GetGatewayInstance",
"gateway:GetConsumer",
"gateway:GetSSLCertificate",
"gateway:GetGlobalPluginRule",
"gateway:GetPluginMetadata",
"gateway:GetServiceRegistry",
"gateway:GetPublishedService"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id}/publishedservice/<.*>" // View all published services on this gateway group
],
"actions": [
"gateway:GetPublishedService"
],
"effect": "allow"
}
]
}
```
You can also use wildcard grammar as alternative:
```json
{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id}" // Use gateway group id to match resources
],
"actions": [ // Match all actions start with "Get"
"<.*>Get<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id}/publishedservice/<.*>" // View all published services on this gateway group
],
"actions": [
"gateway:GetPublishedService"
],
"effect": "allow"
}
]
}
```Click Add.
Create Test Permission Policy
- Select Organization from the top navigation bar, and then select Permission Policies.
- Click Add Permission Policy.
- From the dialog box, do the following:
In the Name field, enter
test-gateway-group-full-access
.In the Policy Editor field, enter the JSON:
```json
{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id}" // Use gateway group id to match resources
],
"actions": [ // Include all actions
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/{gateway group id}/publishedservice/<.*>" // Full access to all published services on this gateway group
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}
```Click Add.
Create Custom Role
- Select Organization from the top navigation bar, and then select Roles.
- Click Add Custom Role.
- From the dialog box, do the following:
- In the Name field, enter
Development Team Member
. - (Optional) In the Description field, enter
View-only access to production gateway group and full access (view & edit) to test gateway group.
- Click Add.
- In the role detail page, click Attach Policy.
- Select
production-gateway-group-view-only
andtest-gateway-group-full-access
. - Click Submit.
Validate Custom Role
- Follow the tutorial Update User Roles and assign the
Development Team Member
to another user, for exampleTom
. - Ask Tom to log in and validate his permissions.
Additional Resources
- Key Concepts
- Getting Started
- Best Practice
- Reference