This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Limiting proxy developer access to specific assets (proxies, shared flows, KVMs) when multiple teams are sharing an environment.

Posted on 02-18-2021 09:11 AM
bdraven-1
New Member
Reply posted on --/--/---- --:-- AM

I have a situation where a company has many developer teams that will "Share" the gateway. This could be done using fine grain resource permissions allowing developers to read/write/delete a subset of proxies, shared flows and other assets. For example, developer A can read/write proxy "A" and "B" but not "C". Whereas Developer "B" can read/write proxy "C" but not "A" or "B". This extends to shared flows, KVMs and the like. Managing these permissions would be somewhat complex and perhaps create friction to getting work done in a timely manner.

I am therefore thinking environment separation is a better choice as the permissions would be granted to the dedicated environment and therefore alleviate the need for fine grain permissions. The downside to this is that there could be many (20 or more) environments in the "Dev" Org. The artifacts created in the "DEV" org would ultimately promote to a merged (all groups assets commingled) Org under CI/CD control and then finally Prod Org which would have same CI/CD control.

Example summary would be

"Dev Org" - One environment per developer team to achieve separation. Could be as many as 20 environments.

"Non-Prod Org - Test, QA, Perf environments where all assets are merged and under CI/CD control.

"Prod Org" - Same as Non Prod in structure with CI/CD control.

Thoughts?

Solved Solved
0 7 1,045
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
kurtkanaskie
Staff
Reply posted on --/--/---- --:-- AM

Hi Bill and welcome home.

This is a common ask. In Apigee X, this could be done using GCP IAM and custom roles, details yet to be proven and documented. Are you using Apigee X?

The approach for the Dev Org would still require custom roles per team, since proxies are not scoped to the environment, just their deployment.

A simpler approach would be to have "Dev Org A", "Dev Org B", etc. rolling up to the merged orgs, but that may be cost prohibitive based on the number of teams.

View solution in original post

Jump to Solution
0 Likes
7 REPLIES 7
Top Solution Authors
View all