This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Apigee RBAC Incorrect Behaviour - Role API

Posted on 03-21-2025 01:16 AM
vipinev
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am trying to set up a role based access control and the resouce permission api seems not working as expected.

 

 

{
    "resourcePermission": [
        {
          "path": "/applications/azp-retail-*",
          "permissions": [
            "get",
            "put",
            "delete"
          ]
        },
        {
          "path": "/applications/azp-retail-*/revisions",
          "permissions": [
            "get"
          ]
        },
        {
          "path": "/applications/azp-retail-*/revisions/*",
          "permissions": [
            "get",
            "put",
            "delete"
          ]
        },
        {
          "path": "/applications/azp-retail-*/deployments",
          "permissions": [
            "get"
          ]
        },
        {
          "path": "/applications/azp-retail-*/revisions/*/deployments",
          "permissions": [
            "get",
            "put"
          ]
        },
        {
          "path": "/environments/dev/applications/azp-retail-*/deployments",
          "permissions": [
            "get"
          ]
        },
        {
          "path": "/environments/dev/applications/azp-retail-*/revisions/*/deployments",
          "permissions": [
            "get",
            "put",
            "delete"
          ]
        },
        {
          "path": "/applications/azp-retail-*/revisions/*/policies",
          "permissions": [
            "get",
            "put"
          ]
        },
        {
          "path": "/applications/azp-retail-*/revisions/*/policies/*",
          "permissions": [
            "get"
          ]
        }
      ]
}

 

 

 

I am expecting the role to manage dev proxies with azp-retail prefix.

However post creation, UI shows the below.

vipinev_1-1742544895057.png

It allows to edit, delete all proxies.

If you try to delete this permission via console it says it doesnt exists.

Also when you login as a user with this role, I can edit/delete all proxies.

0 2 366
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
AlexET
Staff
Reply posted on --/--/---- --:-- AM

Hey @vipinev,

We’ve seen that your question hasn’t gotten a response yet. We’ll keep checking in on this thread and encourage other members to share their thoughts.

0 Likes

Posted on --/--/---- --:-- AM
paul-wright
Staff
Reply posted on --/--/---- --:-- AM

Hi,

Thanks for this question. Creating custom RBAC rules can be complicated. Apigee just released a new feature that we call Spaces that greatly simplifies ownership management of Proxies, Shared Flows, and Products.

Apigee Spaces enables identity-based isolation and grouping of API resources within an Apigee organization. With Apigee Spaces, you can have granular IAM control over access to your API proxies, shared flows and API products.

You can create multiple Spaces in the same organization for different teams, development projects, or environments and set the IAM controls for each Space. Any API resources created under a Space will inherit the IAM policies applied to that Space.

See: https://cloud.google.com/apigee/docs/api-platform/system-administration/spaces/apigee-spaces-overvie... 

Using Spaces also eliminates the need for team based naming conventions, although you are welcome to continue to use them.

Take a look, I think Spaces will help you out.

0 Likes
Top Solution Authors
View all