About Oracle API Platform Cloud Service - Classic Roles, Resources, Actions, and Grants
Learn about roles, resources, actions, and grants in Oracle API Platform Cloud Service - Classic.
Terms Used by User Management
These terms are used throughout Oracle API Platform Cloud Service - Classic to define user management concepts.
Entity | Description |
---|---|
User |
An Oracle API Platform Cloud Service - Classic user. Users can be members of groups or roles. |
Group |
A group of users. Groups can be members of other groups or roles. |
Role |
A role is a group which is predefined by the system Roles. It cannot be a member of another role or group. The ability to perform a certain action is determined by membership in a role and optionally a grant on the resource(s) being acted upon. |
Action |
A fine-grained operation by the user; for example, CreateApplication, DeleteAPI, etc. |
Grant (noun) |
A permission to perform a set of actions on a specific resource. Grants apply to one resource type. For example, the DeployToGatewayGrant can only be applied to Gateway type resources. Grants are granted to a user or group |
Resource |
An object being acted on by a user; for example, a single gateway or API, as opposed to all gateways or APIs. Resources have a resource type. |
Resource Type |
The type of resource, like API, gateway, or application. |
Roles
Roles determine which interfaces a user is authorized to access and the grants they are eligible to receive. You can assign one or more of these roles to Oracle API Platform Cloud Service - Classic users and groups: Administrator, API Manager, Application Developer, Gateway Manager, Gateway Runtime, Service Manager, and Plan Manager.
The table below describes each of the available roles.Managing Roles describes how you assign roles.
Name | Description |
---|---|
Administrator |
System Administrators responsible for managing the platform settings. Administrators possess the rights of all other roles and are eligible to receive grants for all objects in the system. Administrator tasks are described in Administering Oracle API Platform Cloud Service - Classic. |
API Manager |
People responsible for managing the API lifecycle, which includes designing, implementing, and versioning APIs. Also responsible for managing grants and applications, providing API documentation, and monitoring API performance. API Manager tasks are described in Manage APIs. |
Application Developer |
API consumers granted self-service access rights to discover and register APIs, view API documentation, and manage applications using the Developer Portal. Application Developer tasks are described in Getting Started with the API Platform Cloud Service Developer Portal in Consuming APIs with the Oracle API Platform Cloud Service - Classic Developer Portal. |
Gateway Manager |
Operations team members responsible for deploying, registering, and managing gateways. May also manage API deployments to their gateways when issued the Deploy API grant by an API Manager. Gateway Manager tasks are described in Managing Gateways. |
Gateway Runtime |
This role indicates a service account used to communicate from the gateway to the portal. This role is used exclusively for gateway nodes to communicate with the management service; users assigned this role can’t sign into the Management Portal or the Developer Portal. |
Service Manager |
People responsible for managing resources that define backend services. This includes managing service accounts and services. Service Manager tasks are described in Managing Services and Service Accounts. |
Plan Manager |
People responsible for managing plans. Plan Manager tasks are described in Managing Plans. |
Resource Types
You issue grants for individual resources in Oracle API Platform Cloud Service - Classic. This gives you fine-grained control over which users can perform which actions on a resource. You can issue grants for APIs, applications, gateways, and plans.
Administrators can issue grants to all users for all resources. Users with a role associated with a resource type and the Manage grant for a resource can issue grants for that resource. For example, Gateway Managers with the Manage Gateway grant for a specific gateway can issue grants for it. Gateway Managers without the Manage Gateway grant for a gateway can’t issue grants for it.
Resource Type | Description |
---|---|
API |
An API that is managed in Oracle API Platform Cloud Service - Classic. |
Application |
An external application that is registered to an API/plan. |
Gateway |
A gateway, managed in Oracle API Platform Cloud Service - Classic, that you deploy APIs to. The gateway runtime acts as the security layer, enforcing policies applied to APIs and routing requests to backend services. You issue grants to the logical gateway, not individual gateway nodes. Grants issued to the logical gateway apply to all nodes registered to it. |
Plan |
A plan is a set of APIs and specific policies for those APIs. |
Service Account |
A Service Account provides authentication configuration for outbound calls. You define a service account resource once and reuse it in policies where this account is required to access services. |
Service |
A Service provides configuration and access to a backend service. You define a service resource once and reuse it any number of policies. |
Actions
Grants determine the actions users can perform on a resource.
Action | Resource | Display Name | Description |
---|---|---|---|
APICreate |
GenericResource |
Create API |
Create an API |
APIDelete |
API |
Delete |
Delete an API |
APIDeploy |
API |
Deploy |
Deploy or request deployment for this API to a gateway. The user also needs the appropriate permission on the Gateway resource |
APIEditAll |
API |
Edit |
Modify the API |
APIEditPublic |
API |
Edit Public Properties |
Modify the Public details of an API (e.g. a doc person) |
APIGrantDeployAPI |
API |
Grant Deploy API |
Give a gateway manager permission to deploy this API (issue the DeployAPIGrant grant) |
APIGrantManageAPI |
API |
Grant Manage API |
Give another APIManager the permission to manage this API (issue the ManageAPI grant) |
APIGrantViewAllDetails |
API |
Grant View All Details |
Give another user permission to view the API's (full) details. (issue the ViewAllDetailsAPIGrant grant) |
APIModifyLifecycleState |
API |
Grant View Public Details |
Give another user permission to view the API’s public details in the Developer Portal (issue the ViewPublicDetailsAPIGrant grant) |
APIModifyPublishState |
API |
Modify Lifecycle State |
Changes the lifecycle state of the API |
APIResume |
API |
Modify Publish State |
Publish the API to the developer portal or remove it from the portal |
APISuspend |
API |
Resume |
Resume a deployed API on a gateway |
APIUndeploy |
API |
Suspend |
Suspend a deployed API on a gateway |
APIViewAllDetails |
API |
Undeploy |
Undeploy this API to a gateway. The user also needs the appropriate permission on the Gateway resource |
APIViewHistory |
API |
View All Details |
View all data about the API |
APIViewPublicDetails |
API |
View Deployment Details |
View data needed for managing the API deployment |
ApplicationCreate |
API |
View History |
View the history of updates made to the API |
ApplicationDelete |
API |
View Public Details |
View data meant for external consumption (primarily for Developer Portal use) |
ApplicationEditAll |
GenericResource |
Create Application |
Create a new Application |
ApplicationEditByManager |
Application |
Delete |
Delete this Application |
ApplicationGrantManageApplication |
Application |
Edit |
Modify the properties of an application |
ApplicationGrantViewAllDetails |
Application |
Edit a subscribeed application |
Allows the API Manager to edit a subset of properties of an application subscribeed to an API |
ApplicationIssueKey |
Application |
Grant Manage Application |
Give someone else the ManageApplicationGrant so they can modify this application (issue the ManageApplicationGrant grant) |
ApplicationSubscribe |
Application |
Grant View All Details |
Give someone the ViewAllDetailsApplicationGrant |
ApplicationRegistrationResume |
Application |
Issue an Application Key |
Issues a new application key |
ApplicationRegistrationSuspend |
Application |
Subscribe |
Subscribe or request an application registration to an API |
ApplicationUnsubscribe |
Application |
Resume |
Resume an application |
ApplicationViewAllDetails |
Application |
Suspend |
Suspend an application |
ApplicationViewHistory |
Application |
Unsubscribe |
Unsubscribe an application from an API |
ApplicationViewAllDetails |
Application |
View All Details |
View the properties of an Application and analytics |
ApplicationViewHistory |
Application |
View History |
View the history of updates made to the Application |
ApplicationViewManagerDetails |
Application |
View as API Manager |
View the properties needed as an API Manager or Gateway Manager |
DeveloperPortalLogin |
GenericResource |
Developer Portal Login |
Login to the ApplicationDeveloper Portal |
GatewayApproveDeployRequest |
Gateway |
Approve API Deployment Request |
Approve another users request to deploy and API to this gateway. |
GatewayCreate |
GenericResource |
Create Gateway |
Create a new Gateway |
GatewayDelete |
Gateway |
Delete Gateway |
Delete a Gateway |
GatewayDeploy |
Gateway |
Deploy an API |
Deploy an API to this Gateway |
GatewayEditAll |
Gateway |
Edit All |
Modify the gateway properties |
GatewayGrantDeploy |
Gateway |
Grant Deploy |
Give another user the ability to deploy APIs to this gateway. (issue the DeployAPIToGatewayGrant grant) |
GatewayGrantManageGateway |
Gateway |
Grant Manage Gateway |
Give another Gateway Manager the right to manage this gateway. (issue a ManageGatewayGrant grant) |
GatewayGrantRequestDeployAPI |
Gateway |
Grant Request Deploy |
Give another user the ability to request a deployment of APIs to this gateway. (issue the RequestDeployAPIToGatewayGrant grant) |
GatewayGrantServiceGateway |
Gateway |
Grant Service Gateway |
Give a service account the ability to retrieve configurations and post statistics from this gateway |
GatewayGrantViewGateway |
Gateway |
Grant View All Details |
Give another user the ability to view Gateway details (issue the ViewGatewayGrant) |
GatewayRequestDeploy |
Gateway |
Request Deployment of an API |
Request an API be deployed to this Gateway. Someone with GatewayDeploy needs to do the actual Deploy |
GatewayRetrieveConfiguration |
Gateway |
Retrieve Configuration |
Retrieve gateway configuration updates from the portal. (Used by GatewayRuntime service accounts only) |
GatewayUndeploy |
Gateway |
Undeploy an API |
Undeploy an API from this Gateway |
GatewayUploadStatistics |
Gateway |
Upload Statistics |
Upload gateway runtime statistics to portal. (Used by GatewayRuntime service accounts only) |
GatewayViewAllDetails |
Gateway |
View All Details |
View all data about the gateway |
GatewayHistoryView |
Gateway |
View History |
View the history of updates made to the Gateeway |
ManagerPortalLogin |
GenericResource |
Manager Portal Login |
Login to the Management Portal |
PlanApproveRegistration |
Plan |
Approve Application Registration |
Approve a request to subscribe and application to use a Plan |
PlanCreate |
GenericResource |
Create Plan |
Create a new Plan |
PlanDelete |
Plan |
Delete |
Delete the plan |
PlanEditAll |
Plan |
Edit |
Edit all properties of the plan |
PlanEditPublic |
Plan |
Edit Public Details |
Edit the public properties of the plan. |
PlanGrantManagePlan |
Plan |
Grant Manage Plan |
Give another API Manager the ability to manage this plan (issue the ManagePlanGrant) |
PlanGrantSubscribeApplication |
Plan |
Grant Subscribe |
Give an Application Developer the ability to subscribe an application for this plan (issue the SubscribeApplicationForPlanGrant grant) |
PlanGrantRequestSubscribeApplication |
Plan |
Grant Request Subscription |
Give an Application Developer the ability to request an application be subscribed for this plan (issue the RequestSubscribeApplicationForPlanGrant) |
PlanGrantViewAllDetails |
Plan |
Grant View All Details |
Give another user the ability to view all properties of the plan |
PlanGrantViewPublicDetails |
Plan |
Grant Public Details |
Give another user the ability to view the plan in the developer portal (issue the ViewPublicDetailsforPlanGrant grant) |
PlanGrantEntitleAPI |
Plan |
Grant Entitle API |
Give an API Manager the ability to entitle an API to this plan (issue the EntitleAPIToPlanGrant grant) |
PlanModifyPublishState |
Plan |
Modify Publish State |
Modify the publish state of the plan |
PlanModifyState |
Plan |
Modify State |
Modify the state of the plan |
PlanEntitleAPI |
Plan |
Entitle API |
Entitle an API to an Plan. |
PlanSubscribeApplication |
Plan |
Subscribe Application |
Subscribe an Application to have access to an API. No approval needed. |
PlanRequestSubscribeApplication |
Plan |
Request Application Subscription |
Request an application be subscribed for use |
PlanViewAllDetails |
Plan |
View All Details |
View all details of the plan |
PlanViewHistory |
Plan |
View History |
View the history of updates made to the Plan |
PlanViewPublicDetails |
Plan |
View Public Details |
View information available to Application Developers in the Developer Portal. Note: this action also implies the permission to view the public details of any API which is part of the plan. |
PlanEntitleAPI |
Plan |
Entitle |
Entitle an API to an Plan. |
PolicyManage |
GenericResource |
Manage Policies |
Upload or update a custom policy |
ServiceAccountEditAll |
Service Account |
Edit |
Edit all properties of the service account |
ServiceAccountViewAllDetails |
Service Account |
View All Details |
View all details of the service account |
ServiceAccountViewHistory |
Service Account |
View History |
View the history of updates made to the service account |
ServiceAccountDelete |
Service Account |
Delete |
Delete the service account |
ServiceAccountReference |
Service Account |
Reference |
Reference the service account |
ServiceAccountGrantManageServiceAccount |
Service Account |
Grant Manage Service Account |
Give another Service Manager the ability to manage the service account |
ServiceAccountGrantViewAllDetails |
Service Account |
Grant View All Details |
Give another user the ability to view all properties of the service account |
ServiceAccountGrantReferenceServiceAccount |
Service Account |
Grant Reference Service Account |
Give another user the ability to reference a service account |
ServiceEditAll |
Service |
Edit |
Edit all properties of the service |
ServiceModifyState |
Service |
Modify State |
Edit the state of the service |
ServiceViewAllDetails |
Service |
View All Details |
View all details of the service |
ServiceViewHistory |
Service |
View History |
View the history of updates made to the service |
ServiceDelete |
Service |
Delete |
Delete the service |
ServiceReference |
Service |
Reference |
Reference the service |
ServiceGrantManageService |
Service |
Grant Manage Service |
Give another Service Manager the ability to manage the service |
ServiceGrantViewAllDetails |
Service |
Grant View All Details |
Give another user the ability to view all properties of the service |
ServiceGrantReferenceService |
Service |
Grant Reference Service |
Give another user the ability to reference the service |
UIPlatformSettingsTab |
GenericResource |
View Platform Settings Tab |
Display the Platform settings tab in API Manager Portal, where Administrator can set tenant level settings (Eg, Time zone) |
UIViewAPITab |
GenericResource |
View API Tab |
Display the API tab in Manager Portal |
UIViewApplicationTab |
GenericResource |
View Application Tab |
Display the Application tab in Manager Portal |
UIViewGatewayTab |
GenericResource |
View Gateway Tab |
Display the Gateway tab in Manager Portal |
UIViewRoleTab |
GenericResource |
View Role Tab |
Display the Role tab in Manager Portal |
UsersManage |
GenericResource |
Manage Users |
Modify Users, groups, and membership for groups and roles. |
UsersViewHistory |
GenericResource |
View user management history |
View change history for users, groups, and roles |
ViewAllHistory |
GenericResource |
View all history across the system |
View the change history for all resources and system changes |
Grants
In tandem with roles, grants determine which users can access which resources in Oracle API Platform Cloud Service - Classic.
Roles determine which grants a user is eligible to receive; grants determine which actions a user can perform on specific resources. Because grants are issued at the resource level, you have fine-grained control over which users can perform which actions on specific resources. You can control how you want to manage the API lifecycle by issuing certain grant combinations to your users. For example, if you want trusted API Managers to be able to deploy directly to gateways in a development environment without explicit approval from a Gateway Manager, an Administrator or a Gateway Manager can issue that user the Deploy to Gateway grant for a development gateway. In this example the API Manager has not been given approval to deploy directly to a production gateway. They are not able to deploy APIs to it unless they are given explicit approval to do so.
Oracle API Platform Cloud Service - Classic grants, the users each grant can be issued to, and the actions each grant enables are described below.
Note:
Administrators possess the rights of all other roles and are eligible to receive grants for all objects in the system.
API Grants
Grant Name | Description | Can Be Issued To | Associated Actions |
---|---|---|---|
Manage API |
People issued this grant are allowed to modify the definition of and issue grants for this API. |
API Managers |
APIDelete APIViewAllDetails APIViewPublicDetails APIEdit APIEditPublic APIModifyPublishState APIModifyLifecycleState APIDeploy APIGrantManageAPI APIGrantViewAllDetails APIGrantViewPublicDetails APIGrantDeployAPI |
View all details |
People issued this grant are allowed to view all information about this API in the Management Portal. |
API Managers, Gateway Managers, Plan Managers |
APIViewAllDetails |
View public details |
People issued this grant are allowed to view the publicly available details of this API on the Developer Portal. This grant can be issued to users of any role. |
API Managers, Application Developers, Plan Managers |
APIViewPublicDetails |
Entitle API |
Users issued this grant are allowed to entitle this API to a plan for which they have entitle rights. |
API Managers, Plan Managers |
APIEntitlementAdd APIEntitlementEdit APIEntitlementRemove APIEntitlementModifyState APIEntitlementModifyPublishState |
Deploy API |
API Managers with the Manage API grant already have this permission for all gateways they are allowed to view. API Managers without the Manage API grant and Gateway Managers issued this grant are allowed to deploy or undeploy this API to a gateway for which they have deploy rights. This allows Gateway Managers to deploy this API without first receiving a request from an API Manager. |
API Managers, Gateway Managers |
APIDeploy |
Gateway Grants
Grant Name | Description | Can be Issued To | Associated Actions |
---|---|---|---|
Manage Gateway |
People issued this grant are allowed to manage API deployments to this gateway and manage the gateway itself. |
Gateway Managers |
GatewayManage GatewayViewAllDetails GatewayDeploy GatewayRequestDeploy GatewayApproveDeployRequest GatewayGrantManageGateway GatewayGrantViewGateway GatewayGrantDeployAPI GatewayGrantRequestDeployAPI |
View all details |
People issued this grant are allowed to view all information about this gateway |
Gateway Managers, API Managers, Plan Managers |
GatewayViewAllDetails |
Deploy to Gateway |
People issued this grant are allowed to deploy or undeploy APIs to this gateway. |
Gateway Managers, API Managers |
GatewayDeploy GatewayRequestDeploy |
Request Deployment to Gateway |
People issued this grant are allowed to request API deployments to this gateway. Requests must be approved by a Gateway Manager |
API Managers |
GatewayRequestDeploy |
Node Service Account |
Gateway Runtime service accounts are issued this grant to allow them to download configuration and upload statistics. |
GatewayRuntime |
GatewayRetrieveConfiguration GatewayUploadStatistics |
Application Grants
Grant Name | Description | Can be Issued To | Associated Actions |
---|---|---|---|
Manage Application |
People issued this grant can view, modify and delete this application. API Manager users issued this grant can also issue grants for this application to others. |
API Managers, Application Developers, Plan Managers |
ApplicationEdit ApplicationDelete ApplicationView ApplicationGrantManageApplication |
View All Details |
People issued this grant can see all details about this application in the Developer Portal. |
API Managers, Application Developers, Plan Managers |
ApplicationViewAllDetails |
Service Account Grants
Grant Name | Description | Can be Issued To | Associated Actions |
---|---|---|---|
Manage Service Account |
People issued this grant are allowed to view, modify and delete this service account. |
Service Managers |
ServiceAccountEditAll ServiceAccountViewAllDetails ServiceAccountViewHistory ServiceAccountDelete ServiceAccountReference ServiceAccountGrantManageServiceAccount ServiceAccountGrantViewAllDetails ServiceAccountGrantReferenceServiceAccount |
View all details |
People issued this grant are allowed to see all details about this service account. |
API Managers, Gateway Managers, Service Managers |
ServiceAccountViewHistory ServiceAccountViewAllDetails |
Reference Service Account |
People issued this grant are allowed to reference this service account (add it to policies). |
API Managers, Service Managers |
ServiceAccountViewAllDetails ServiceAccountReference |
Service Grants
Grant Name | Description | Can be Issued To | Associated Actions |
---|---|---|---|
Manage Service |
People issued this grant are allowed to view, modify and delete this service. |
Service Managers |
ServiceEditAll ServiceModifyState ServiceViewAllDetails ServiceViewHistory ServiceDelete ServiceReference ServiceGrantManageService ServiceGrantViewAllDetails ServiceGrantReferenceService |
View All Details |
People issued this grant are allowed to see all details about this service. |
API Managers, Gateway Managers, Service Managers |
ServiceViewAllDetails ServiceViewHistory |
Reference Service |
Users issued this grant are allowed to reference this service (add it to policies). |
API Managers, Service Managers |
ServiceViewAllDetails ServiceReference |
Plan Grants
Grant Name | Description | Can be Issued to | Associated Actions |
---|---|---|---|
Manage the plan |
Users issued this grant are allowed to modify the definition of and issue users grants for this plan. |
Plan Managers |
PlanEditAll PlanEditPublic PlanDelete PlanModifyPublishState PlanModifyState PlanViewAllDetails PlanViewPublicDetails PlanViewHistory PlanRequestSubscribeApplication PlanSubscribeApplication PlanApproveSubscription PlanEntitleAPI PlanGrantViewAllDetails PlanGrantViewPublicDetails PlanGrantManagePlan PlanGrantRequestSubscribeApplication PlanGrantSubscribeApplication PlanGrantEntitleAPI |
View all details |
Users issued this grant are allowed to view all details of this plan in the Management Portal. |
API Managers, Gateway Managers, Plan Managers |
PlanViewAllDetails PlanViewPublicDetails PlanViewHistory |
View public details |
Users issued this grant are allowed to see the public details of this plan in the Developer Portal. |
API Managers, Application Developers, Plan Managers |
PlanViewPublicDetails |
Subscribe |
Users issued this grant are allowed to subscribe applications to this plan. |
API Managers, Application Developers, Plan Managers |
PlanViewPublicDetails PlanSubscribeApplication |
Request Subscription |
Users issued this grant are allowed to request to subscribe applications to this plan. |
API Managers, Application Developers, Plan Managers |
PlanViewPublicDetails PlanRequestSubscribeApplication |
Entitle |
Users issued this grant are allowed to entitle APIs to this plan. |
API Managers, Plan Managers |
PlanViewPublicDetails PlanEntitleAPI |