Create a Custom Role
API7 Enterprise starts with a locked-down Super Admin role and policy granting full access for initial setup. The default admin account is permanently tied to this role for emergency recovery.
With custom roles, you can create a granular permission system tailored to your specific needs. This tutorial will guide you through the process of defining custom roles in API7 Enterprise, empowering you to manage access control with greater precision.
This tutorial showcases a custom role with view-only access to production gateway group and full access (view & edit) to test gateway group. You will complete the following steps:
- Create two permission policies, one to define the view-only permission to production gateway group, and another to define the full access to test gateway group.
- Create a custom role
Development Team Memberattached to the above two permission policies.
Prerequisites
- Install API7 Enterprise.
- Have two gateway groups for test and production environments with at least one gateway instance in each group.
- Have a published service in both two gateway groups for validation use.
- (Optional) Learn permission policy examples.
Create Permission Policies�
Create View-only Production Permission Policy
- Select Organization from the top navigation bar, and then select Permission Policies.
- Click Add Permission Policy.
- From the dialog box, do the following:
- In the Name field, enter
production-gateway-group-view-only. - In the Policy Editor field, enter the JSON:
{
"statement": [
{
"resources": [
"arn:api7:gateway:gatewaygroup/{production gateway group id}" // Use gateway group id to identify
],
"actions": [
"<.*>Get<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/{production gateway group id}/publishedservice/<.*>" // View-only to all published services on these gateway groups
],
"actions": [
"<.*>Get<.*>"
],
"effect": "allow"
}
]
}
- Click Add.
Create Full Access Test Permission Policy
- Select Organization from the top navigation bar, and then select Permission Policies.
- Click Add Permission Policy.
- From the dialog box, do the following:
- In the Name field, enter
test-gateway-group-full-access. - In the Policy Editor field, enter the JSON:
{
"statement": [ // Multiple statements within a policy function with an OR relationship.
{
"resources": [
"arn:api7:gateway:gatewaygroup/{test gateway groupp id}"
],
"actions": [
"<.*>"
],
"effect": "allow"
},
{
"resources": [
"arn:api7:gateway:gatewaygroup/{test gateway groupp id}/publishedservice/<.*>" // Full access to all published services on this gateway group
],
"actions": [
"<.*>"
],
"effect": "allow"
}
]
}
- Click Add.
Create Custom Role
- Select Organization from the top navigation bar, and then select Roles.
- Click Add Custom Role.
- From the dialog box, do the following:
- In the Name field, enter
Development Team Member. - (Optional) In the Description field, enter
View-only access to production gateway group and full access (view & edit) to test gateway group. - Click Add.
- In the role detail page, click Attach Policy.
- Select
production-gateway-group-view-onlyandtest-gateway-group-full-access. - Click Submit.
Validate Custom Role
- Follow the tutorial Update User Roles and assign the
Development Team Memberto another user, for exampleTom. - Ask Tom to log in and validate his permissions.
Additional Resources
- Key Concepts
- Getting Started
- Best Practice
- Reference