Roles and Permissions in ApiShare
Managing an API ecosystem with large teams can be quite challenging. That’s because a team with many members, each with their own degree of expertise and visibility, requires different levels of responsibility and control. Roles and permissions, therefore, need to be tailored accordingly, but they must also be kept flexible and adaptable to organizational changes.
Why roles are important
Based on our experience, for a successful API Program, the definition of an Operative Model and proper Governance has the same value of a best-of-breed API Management platform solution. Therefore, a core pillar of our service is determining the optimal governance structure by identifying all stakeholders and their responsibilities, namely their roles.
This has obvious benefits:
- Creates a more streamlined and reliable workflow.
- Helps team members avoid unwanted changes to the organization’s assets.
- Helps users to focus on their tasks.
So, who on your team can create, edit, or deploy an API? Who can control how it’s used? And who can just view it? Let’s see how ApiShare has addressed these questions, so that you, whether you are a developer, an architect, or a product manager, can more easily focus on your tasks.
ApiShare’s (default) roles and permissions
ApiShare has a default set of roles, each with its own visibility and permissions, thereby providing some separation of duties, while ensuring broader access to the more authoritative roles. The roles in this configuration are hierarchical, thus every role inherits the permissions of the role below it.
The default set of roles is the following:
| Role | Description | Permissions |
|---|---|---|
Owner |
The tenant owner. | They have all permissions. |
Organization Admin |
Administrator of an internal organization or partner organization. |
They can manage their Organization and everything within it, including its Groups, its members, and its APIs. |
Group Admin |
Administrator of a certain Group within an organization. | They can manage only their Group’s members, Apps, APIs. Above all, they can approve the more sensitive lifecycle steps of their Group’s APIs, like deployment. |
Contributor |
A user who can create APIs for their group, usually a developer. | They can propose the creation of new APIs and contribute to their design, development, and enhancement. |
Consumer |
A user who can only consume APIs. | They can request subscriptions to the APIs for their Group’s applications. In addition, they can leave reviews to the APIs they use. |
Guest |
A user who was just invited, but who belongs to no organization. | They can browse both the API and Application catalogs, and make requests to join the ecosystem’s Organizations. |
In addition, each role can be configured to only have access to certain environments. For instance, Consumers can be set to only have access to the DEV and TEST environments of APIs, while only Admins may access the PRODUCTION environment.
The scope of each role
Usually, for any one project, a user only has a single role, and thus a single set of permissions at a time. However, if a particular user happens to work on multiple projects, or, more closely to the reality of API management, if a user has to consume or contribute to APIs for different Organizations or departments within a company, they ought to have the most appropriate role within each Organization.
Therefore, in ApiShare, aside from the Owners and Guests (who do not belong to a specific Organization), all roles are scoped to each of the Organizations a user might belong to.
In other words, a user has a role within their Organization. (More accurately, within the Group of the Organization they belong to). So, if a user belongs to more than one Organization, they shall have a specific role in each of them. For example, a user can be a Consumer of APIs for the Data Scientists Organization, as well as a Contributor of APIs for the R&D Organization.
Configurability
We’ve seen how ApiShare’s default role configuration tackles the challenge of assigning responsibilities and visibility within an API management ecosystem. However, from years of experience in the business, we know that defaults may not always cut it. That’s why, for enterprise subscriptions, at the time of setup, we offer the option of tailoring the default configuration, from the number of roles, to their permissions and visibility.
Do not hesitate to contact our team to find out how we can tailor ApiShare’s user Roles and Permissions to best suit your company’s needs!
About the Author: Federico Oggioni
