Update User Roles
Role-Based Access Control (RBAC) links permissions to roles instead of directly to users. Users are then assigned these roles, simplifying access management, enhancing efficiency, and reducing errors. This guide will walk you through managing role-based access control using custom role, permission policy, and permission boundary of API7 Enterprise.
Update a User Role
- Select Organization from the top navigation bar, and then select Users.
- Click Update Roles for the target user.
- Add or remove roles.
- Click Update.
To view the permissions for every role, select Organization from the top navigation bar and select Roles.
Roles and permission policies are combined to control access. Here's an example of isolating access to environments using a custom role and permission policy.
Define Permission Policies
Create three gateway groups:
test
,UAT
, andproduction
.Select Organization from the top navigation bar, and then select Permission Policies.
Click + Add Policy.
In the + Add Permission Policy dialog box, do the following:
In the Name field, enter
test-gateway-group-full-access
.In the Policy editor field, enter the configuration:
{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaygroup/b6db7341-fc1f-4cee-a318-3e782a163d24"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/b6db7341-fc1f-4cee-a318-3e782a163d24/publishedservice/<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}noteThe resource ID should be consistent with the gateway groups created. Please change it per your use.
Click Add.
Click + Add Policy.
In the dialog box, do the following:
In the Name field, enter
uat-gateway-group-full-access
.In the Policy editor field, enter the configuration:
{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaygroup/45a06edc-4a93-4bea-a437-3f153b56254c"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/45a06edc-4a93-4bea-a437-3f153b56254c/publishedservice/<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}Click Add.
Click + Add Policy.
In the dialog box, do the following:
In the Name field, enter
production-gateway-group-full-access
.In the Policy editor field, enter the configuration:
{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaygroup/edc12ecd-94a5-49b2-b82d-8d1113e6cd86"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/edc12ecd-94a5-49b2-b82d-8d1113e6cd86/publishedservice/<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}Click Add.
Define Custom Roles
- Select Organization from the top navigation bar, and then select Roles.
- Click + Add Custom Role.
- In the dialog box, do the following:
- In the Name field, enter
Development Team Member
. - Click Add.
- In the Name field, enter
- Create two other roles
Development Team Lead
andTest Engineer
in the same way.
Assign Roles with Controlled Access
- Click
Development Team Member
and enter the role page. - Click + Attach Policy.
- In the dialog box, do the following:
- In the Permission Policies field, select
test-gateway-group-full-access
. - Click Submit. This allows them to make changes solely in the test environment.
- In the Permission Policies field, select
- Assign
test-gateway-group-full-access
anduat-gateway-group-full-access
policies toDevelopment Team Lead
. This enables them to work in both test and UAT environments, potentially including the ability to synchronize stable configurations from test to UAT. - Assign
uat-gateway-group-full-access
andproduction-gateway-group-full-access
policies toTest Engineer
. This restricts their access to UAT and Production environments, focusing on new API testing and publishing tasks.
Validate
- Log in to API7 Enterprise using an account with the
Development Team Member
role and can only have access to theTest
gateway group. - Log in to API7 Enterprise using an account with the
Development Team Lead
role and can only have access to theTest
andUAT
gateway groups. - Log in to API7 Enterprise using an account with the
Test Engineer
role and can only have access to theUAT
andProduction
gateway groups.
Set Role Mapping (SSO Required)
Users who meet the defined key-value mapping rules will be automatically assigned the corresponding roles upon login. See Set Role Mapping for details.
Role mapping takes precedence over manual role assignments. Any manual adjustments to a user's roles will be overwritten upon the next user login when role mapping is active.
Set User Permission Boundary
A user's effective permissions are determined by the intersection of their assigned roles and their permission boundary. This means a user's action is permitted only when:
- Allowed by at least one assigned role.
- Allowed by at least one permission boundary (if present).
- Not denied by any assigned role or permission boundary.
Here is an example of restricting access to licenses using permission boundaries. Below is an interactive demo that provides a hands-on introduction.
Create Permission Policy and Set Permission Boundary
Select Organization from the top navigation bar, and then select Permission Policies.
Click + Add Policy.
In the dialog box, do the following:
In the Name field, enter
no-access-to-license
.In the Policy editor field, enter the configuration:
{
"statement": [
{
"resources": [
"arn:api7:iam:organization/*"
],
"actions": [
"iam:UpdateLicense"
],
"effect": "deny"
},
{
"resources": [
"<.*>"
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}noteThis policy allows access to all the resources except the license.
Click Add.
Select Organization from the top navigation bar, and then select Users.
Click + Invite User.
In the dialog box, do the following:
- In the Username field, enter
Tom
. - Set a one-time password for Tom.
- In the Permission Boundary field, select
no-access-to-license
. - Click Invite.
- In the Username field, enter
Click Update Roles.
In the dialog box, do the following:
- In the Roles field, select
Super Admin
. - Click Update.
- In the Roles field, select
Validate
- Log in to API7 Enterprise using Tom's account.
- Select Organization from the top navigation bar, and then select License.
- Click the editing logo on the license page, and can see the following note, showing that access is denied: Permission denied. Your role does not allow this action. Please contact your administrator if you need additional access.
Set Permission Boundary Mapping (SSO Required)
Users who meet the defined key-value mapping rules will be automatically assigned the corresponding permission boundary upon login. See Set Permission Boundary Mapping for details.
Permission boundary mapping takes precedence over manual permission boundary modification. Any manual adjustments to a user's permission boundaries will be overwritten upon the next user login when permission boundary mapping is active.
Additional Resources
- Key Concepts
- Getting Started
- Best Practices