About Oracle API Platform Cloud Service Roles, Resources, Actions, and Grants

Learn about roles, resources, actions, and grants in API Platform Cloud Service.

Terms Used by User Management

These terms are used throughout API Platform Cloud Service to define user management concepts.

Entity Description

User

An API Platform Cloud Service. Users can be members of groups or roles.

Group

A group of users. Groups can be members of other groups or roles.

Role

A role is a group which is predefined by the system Roles. It cannot be a member of another role or group. The ability to perform a certain action is determined by membership in a role and optionally a grant on the resource(s) being acted upon.

Action

A fine-grained operation by the user; for example, CreateApplication, DeleteAPI, etc.

Grant (noun)

A permission to perform a set of actions on a specific resource. Grants apply to one resource type. For example, the DeployToGatewayGrant can only be applied to Gateway type resources. Grants are granted to a user or group

Resource

An object being acted on by a user; for example, a single gateway or API, as opposed to all gateways or APIs. Resources have a resource type.

Resource Type

The type of resource, like API, gateway, or application.

Roles

Roles determine which interfaces a user is authorized to access and the grants they are eligible to receive. You can assign one or more of these roles to API Platform Cloud Service users and groups: Administrator, API Manager, Application Developer, Gateway Manager, Gateway Runtime, and Service Manager.

The table below describes each of the available roles.Managing Roles describes how you assign roles.

Name Description

Administrator

System Administrators responsible for managing the platform settings. Administrators possess the rights of all other roles and are eligible to receive grants for all objects in the system.

Administrator tasks are described in Administering Oracle API Platform Cloud Service.

API Manager

People responsible for managing the API lifecycle, which includes designing, implementing, and versioning APIs. Also responsible for managing grants and applications, providing API documentation, and monitoring API performance.

API Manager tasks are described in Managing APIs.

Application Developer

API consumers granted self-service access rights to discover and register APIs, view API documentation, and manage applications using the Developer Portal.

Application Developer tasks are described in Getting Started with the API Platform Cloud Service Developer Portal in Consuming APIs with the Oracle API Platform Cloud Service Developer Portal.

Gateway Manager

Operations team members responsible for deploying, registering, and managing gateways. May also manage API deployments to their gateways when issued the Deploy API grant by an API Manager.

Gateway Manager tasks are described in Managing Gateways.

Gateway Runtime

This role indicates a service account used to communicate from the gateway to the portal. This role is used exclusively for gateway nodes to communicate with the management service; users assigned this role can’t sign into the Management Portal or the Developer Portal.

Service Manager

People responsible for managing resources that define backend services. This includes managing service accounts and services.

Service Manager tasks are described in Managing Services and Service Accounts.

Resource Types

You issue grants for individual resources in API Platform Cloud Service. This gives you fine-grained control over which users can perform which actions on a resource. You can issue grants for APIs, applications, gateways, and plans.

Administrators can issue grants to all users for all resources. Users with a role associated with a resource type and the Manage grant for a resource can issue grants for that resource. For example, Gateway Managers with the Manage Gateway grant for a specific gateway can issue grants for it. Gateway Managers without the Manage Gateway grant for a gateway can’t issue grants for it.

Resource Type Description

API

An API that is managed in API Platform Cloud Service.

Application

An external application that is registered to an API/plan.

Gateway

A gateway, managed in API Platform Cloud Service, that you deploy APIs to. The gateway runtime acts as the security layer, enforcing policies applied to APIs and routing requests to backend services.

You issue grants to the logical gateway, not individual gateway nodes. Grants issued to the logical gateway apply to all nodes registered to it.

Plan

A plan is a set of APIs and specific policies for those APIs.

In the first API Platform Cloud Service release, plans are not directly exposed in the UI. When an API is created, a plan is also created. In this release APIs and plans have a 1:1 relationship. When users register their applications to an API, they’re actually registering to the plan that corresponds to that API.

Service Account

A Service Account provides authentication configuration for outbound calls. You define a service account resource once and reuse it in policies where this account is required to access services.

Service

A Service provides configuration and access to a backend service. You define a service resource once and reuse it any number of policies.

Actions

Grants determine the actions users can perform on a resource.

Action Resource Display Name Description

APICreate

GenericResource

Create API

Create an API

APIDelete

API

Delete

Delete an API

APIDeploy

API

Deploy

Deploy or request deployment for this API to a gateway.  The user also needs the appropriate permission on the Gateway resource

APIEditAll

API

Edit

Modify the API

APIEditPublic

API

Edit Public Properties

Modify the Public details of an API (e.g. a doc person)

APIGrantDeployAPI

API

Grant Deploy API

Give a gateway manager permission to deploy this API (issue the DeployAPIGrant grant)

APIGrantManageAPI

API

Grant  Manage API

Give another APIManager the permission to manage this API (issue the ManageAPI grant)

APIGrantViewAllDetails

API

Grant View All Details

Give another user permission to view the API's (full) details. (issue the ViewAllDetailsAPIGrant grant)

APIModifyLifecycleState

API

Grant View Public Details

Give another user permission to view the API’s public details in the Developer Portal (issue the ViewPublicDetailsAPIGrant grant)

APIModifyPublishState

API

Modify Lifecycle State

Changes the lifecycle state of the API

APIResume

API

Modify Publish State

Publish the API to the developer portal or remove it from the portal

APISuspend

API

Resume

Resume a deployed API on a gateway

APIUndeploy

API

Suspend

Suspend a deployed API on a gateway

APIViewAllDetails

API

Undeploy

Undeploy this API to a gateway.  The user also needs the appropriate permission on the Gateway resource

APIViewHistory

API

View All Details

View all data about the API

APIViewPublicDetails

API

View Deployment Details

View data needed for managing the API deployment

ApplicationCreate

API

View History

View the history of updates made to the API

ApplicationDelete

API

View Public Details

View data meant for external consumption (primarily for Developer Portal use)

ApplicationEditAll

GenericResource

 Create Application

Create a new Application

ApplicationEditByManager

Application

Delete

Delete this Application

ApplicationGrantManageApplication

Application

Edit

Modify the properties of an application

ApplicationGrantViewAllDetails

Application

Edit a registered application

Allows the API Manager to edit a subset of properties of an application registered to an API

ApplicationIssueKey

Application

Grant Manage Application

Give someone else the ManageApplicationGrant so they can modify this application  (issue the ManageApplicationGrant grant)

ApplicationRegister

Application

Grant View All Details

Give someone the  ViewAllDetailsApplicationGrant

ApplicationRegistrationResume

Application

Issue an Application Key

Issues a new application key

ApplicationRegistrationSuspend

Application

Register

Register or request an application registration to an API

ApplicationUnregister

Application

Resume

Resume an application

ApplicationViewAllDetails

Application

Suspend

Suspend an application

ApplicationViewHistory

Application

Unregister

Unregister an application from an API

ApplicationViewAllDetails

Application

View All Details

View the properties of an Application and analytics

ApplicationViewHistory

Application

View History

View the history of updates made to the Application

ApplicationViewManagerDetails

Application

View as API Manager

View the properties needed as an API Manager or Gateway Manager

DeveloperPortalLogin

GenericResource

 Developer Portal Login

Login to the ApplicationDeveloper Portal

GatewayApproveDeployRequest

Gateway

Approve API Deployment Request

Approve another users request to deploy and API to this gateway.

GatewayCreate

GenericResource

 Create Gateway

Create a new Gateway

GatewayDelete

Gateway

Delete Gateway

Delete a Gateway

GatewayDeploy

Gateway

Deploy an API

Deploy an API to this Gateway

GatewayEditAll

Gateway

 Edit All

Modify the gateway properties

GatewayGrantDeploy

Gateway

 Grant Deploy

Give another user the ability to deploy APIs to this gateway. (issue the DeployAPIToGatewayGrant grant)

GatewayGrantManageGateway

Gateway

 Grant Manage Gateway

Give another Gateway Manager the right to manage this gateway. (issue a ManageGatewayGrant grant)

GatewayGrantRequestDeployAPI

Gateway

 Grant Request Deploy

Give another user the ability to request a deployment of APIs to this gateway. (issue the RequestDeployAPIToGatewayGrant grant)

GatewayGrantServiceGateway

Gateway

 Grant Service Gateway

Give a service account the ability to retrieve configurations and post statistics from this gateway

GatewayGrantViewGateway

Gateway

 Grant View All Details

Give another user the ability to view Gateway details (issue the ViewGatewayGrant)

GatewayRequestDeploy

Gateway

Request Deployment of an API

Request an API be deployed to this Gateway.  Someone with GatewayDeploy needs to do the actual Deploy

GatewayRetrieveConfiguration

Gateway

 Retrieve Configuration

Retrieve gateway configuration updates from the portal. (Used by GatewayRuntime service accounts only)

GatewayUndeploy

Gateway

Undeploy an API

Undeploy an API from this Gateway

GatewayUploadStatistics

Gateway

 Upload Statistics

Upload gateway runtime statistics to portal. (Used by GatewayRuntime service accounts only)

GatewayViewAllDetails

Gateway

View All Details

View all data about the gateway

GatewayHistoryView

Gateway

View History

View the history of updates made to the Gateeway

ManagerPortalLogin

GenericResource

 Manager Portal Login

Login to the Management Portal

PlanApproveRegistration

Plan

Approve Application Registration

Approve a request to register and application to use a Plan

PlanCreate

GenericResource

 Create Plan

Create a new Plan

PlanDelete

Plan

 Delete

Delete the plan 

PlanEditAll

Plan

 Edit

Edit all properties of the plan

PlanEditPublic

Plan

 Edit Public Details

Edit the public properties of the plan. 

PlanGrantManagePlan

Plan

 Grant Manage Plan

Give another API Manager the ability to manage this plan (issue the ManagePlanGrant)

PlanGrantRegisterApplication

Plan

 Grant Register

Give an Application Developer the ability to register and application for this plan (issue the RegisterApplicationForPlanGrant grant)

PlanGrantRequestRegisterApplication

Plan

 Grant Request Registration

Give an Application Developer the ability to request an application be registered for this plan (issue the RequestRegisterApplicationForPlanGrant)

PlanGrantViewAllDetails

Plan

 Grant View All Details

Give another user the ability to view all properties of the plan

PlanGrantViewPublicDetails

Plan

 Grant Public Details

Give another user the ability to view the plan in the developer portal (issue the ViewPublicDetailsforPlanGrant grant)

PlanModifyPublishState

Plan

Modify Publish State

Modify the publish state of the plan

PlanRegisterApplication

Plan

Register Application

Register an Application to have access to an API.  No approval needed.

PlanRequestRegisterApplication

Plan

Request Application Registration

Request an application be registered for use

PlanViewAllDetails

Plan

View All Details

View all details of the plan

PlanViewHistory

Plan

View History

View the history of updates made to the Plan

PlanViewPublicDetails

Plan

View Public Details

View information available to Application Developers in the Developer Portal.  Note: this action also implies the permission to view the public details of any API which is part of the plan.

PolicyManage

GenericResource

Manage Policies

Upload or update a custom policy

ServiceAccountEditAll

Service Account

Edit

Edit all properties of the service account

ServiceAccountViewAllDetails

Service Account

View All Details

View all details of the service account

ServiceAccountViewHistory

Service Account

View History

View the history of updates made to the service account

ServiceAccountDelete

Service Account

Delete

Delete the service account

ServiceAccountReference

Service Account

Reference

Reference the service account

ServiceAccountGrantManageServiceAccount

Service Account

Grant Manage Service Account

Give another Service Manager the ability to manage the service account

ServiceAccountGrantViewAllDetails

Service Account

Grant View All Details

Give another user the ability to view all properties of the service account

ServiceAccountGrantReferenceServiceAccount

Service Account

Grant Reference Service Account

Give another user the ability to reference a service account

ServiceEditAll

Service

Edit

Edit all properties of the service

ServiceModifyState

Service

Modify State

Edit the state of the service

ServiceViewAllDetails

Service

View All Details

View all details of the service

ServiceViewHistory

Service

View History

View the history of updates made to the service

ServiceDelete

Service

Delete

Delete the service

ServiceReference

Service

Reference

Reference the service

ServiceGrantManageService

Service

Grant Manage Service

Give another Service Manager the ability to manage the service

ServiceGrantViewAllDetails

Service

Grant View All Details

Give another user the ability to view all properties of the service

ServiceGrantReferenceService

Service

Grant Reference Service

Give another user the ability to reference the service

UIPlatformSettingsTab

GenericResource

View Platform Settings Tab

Display the Platform settings tab in API Manager Portal, where Administrator can set tenant level settings (Eg, Time zone)

UIViewAPITab

GenericResource

View API Tab

Display the API tab in Manager Portal

UIViewApplicationTab

GenericResource

View Application Tab

Display the Application tab in Manager Portal

UIViewGatewayTab

GenericResource

View Gateway Tab

Display the Gateway tab in Manager Portal 

UIViewRoleTab

GenericResource

View Role Tab

Display the Role tab in Manager Portal 

UsersManage

GenericResource

Manage Users

Modify Users, groups, and membership for groups and roles.

UsersViewHistory

GenericResource

View user management history

View change history for users, groups, and roles

ViewAllHistory

GenericResource

View all history across the system

View the change history for all resources and system changes

Grants

In tandem with roles, grants determine which users can access which resources in API Platform Cloud Service.

Roles determine which grants a user is eligible to receive; grants determine which actions a user can perform on specific resources. Because grants are issued at the resource level, you have fine-grained control over which users can perform which actions on specific resources. You can control how you want to manage the API lifecycle by issuing certain grant combinations to your users. For example, if you want trusted API Managers to be able to deploy directly to gateways in a development environment without explicit approval from a Gateway Manager, an Administrator or a Gateway Manager can issue that user the Deploy to Gateway grant for a development gateway. In this example the API Manager has not been given approval to deploy directly to a production gateway. They are not able to deploy APIs to it unless they are given explicit approval to do so.

API Platform Cloud Service grants, the users each grant can be issued to, and the actions each grant enables are described below.

API Grants

Grant Name Description Can Be Issued To Associated Actions

Manage API

People issued this grant are allowed to modify the definition of and issue grants for this API.

API Managers

APIDelete

APIViewAllDetails

APIViewPublicDetails

APIEdit

APIEditPublic

APIModifyPublishState

APIModifyLifecycleState

APIDeploy

APIGrantManageAPI

APIGrantViewAllDetails

APIGrantViewPublicDetails

APIGrantDeployAPI

View all details

People issued this grant are allowed to view all information about this API in the Management Portal.

API Managers, Gateway Managers

APIViewAllDetails

View public details

People issued this grant are allowed to view the publicly available details of this API on the Developer Portal. This grant can be issued to users of any role.

API Managers, Application Developers

APIViewPublicDetails

Deploy API

API Managers with the Manage API grant already have this permission for all gateways they are allowed to view.

API Managers without the Manage API grant and Gateway Managers issued this grant are allowed to deploy or undeploy this API to a gateway for which they have deploy rights. This allows Gateway Managers to deploy this API without first receiving a request from an API Manager.

API Managers, Gateway Managers

APIDeploy

Register

People issued this grant are allowed to register applications for this API.

API Managers, Application Developers

PlanViewPublicDetails

PlanRegisterApplication

Request Registration

People issued this grant are allowed to request to register applications for this plan.

API Managers, Application Developers

PlanViewPublicDetails

PlanRequestRegisterApplication

Gateway Grants

Grant Name Description Can be Issued To Associated Actions

Manage Gateway

People issued this grant are allowed to manage API deployments to this gateway and manage the gateway itself.

Gateway Managers

GatewayManage

GatewayViewAllDetails

GatewayDeploy

GatewayRequestDeploy

GatewayApproveDeployRequest

GatewayGrantManageGateway

GatewayGrantViewGateway

GatewayGrantDeployAPI

GatewayGrantRequestDeployAPI

View all details

People issued this grant are allowed to view all information about this gateway

Gateway Managers, API Managers

GatewayViewAllDetails

Deploy to Gateway

People issued this grant are allowed to deploy or undeploy APIs to this gateway.

Gateway Managers, API Managers

GatewayDeploy

GatewayRequestDeploy

Request Deployment to Gateway

People issued this grant are allowed to request API deployments to this gateway. Requests must be approved by a Gateway Manager

API Managers

GatewayRequestDeploy

Node Service Account

Gateway Runtime service accounts are issued this grant to allow them to download configuration and upload statistics.

GatewayRuntime

GatewayRetrieveConfiguration

GatewayUploadStatistics

Application Grants

Grant Name Description Can be Issued To Associated Actions

Manage Application

People issued this grant can view, modify and delete this application. API Manager users issued this grant can also issue grants for this application to others.

API Managers, Application Developers

ApplicationEdit

ApplicationDelete

ApplicationView

ApplicationGrantManageApplication

View All Details

People issued this grant can see all details about this application in the Developer Portal.

Administrators, API Managers, Application Developers, Gateway Managers

ApplicationViewAllDetails

Service Account Grants

Grant Name Description Can be Issued To Associated Actions

Manage Service Account

People issued this grant are allowed to view, modify and delete this service account.

Administrators, Service Managers

ServiceAccountEditAll

ServiceAccountViewAllDetails

ServiceAccountViewHistory

ServiceAccountDelete

ServiceAccountReference

ServiceAccountGrantManageServiceAccount

ServiceAccountGrantViewAllDetails

ServiceAccountGrantReferenceServiceAccount

View all details

People issued this grant are allowed to see all details about this service account.

Administrators, API Managers, Gateway Managers, Service Managers

ServiceAccountViewHistory

ServiceAccountViewAllDetails

Reference Service Account

People issued this grant are allowed to reference this service account (add it to policies).

Administrators, API Managers, Service Managers

ServiceAccountViewAllDetails

ServiceAccountReference

Service Grants

Grant Name Description Can be Issued To Associated Actions

Manage Service

People issued this grant are allowed to view, modify and delete this service.

Administrators, Service Managers

ServiceEditAll

ServiceModifyState

ServiceViewAllDetails

ServiceViewHistory

ServiceDelete

ServiceReference

ServiceGrantManageService

ServiceGrantViewAllDetails

ServiceGrantReferenceService

View All Details

People issued this grant are allowed to see all details about this service.

Administrators, API Managers, Gateway Managers, Service Managers

ServiceViewAllDetails

ServiceViewHistory

Reference Service

Users issued this grant are allowed to reference this service (add it to policies).

Administrators, API Managers, Service Managers

ServiceViewAllDetails

ServiceReference