This pageapplies toApigee andApigee hybrid.

View Apigee Edge documentation.

This topic describes how to add users to an environment, remove users from an environment, and update user roles in an environment, using the Apigee UI.

About role scope

You can add users to Apigee organizations using the Google Cloud console. When you do this, the user is granted thesame access to all environments in the organization. However, you can refine eachuser's access by using the Apigee UI.

The Apigee UI lets you assign roles to users that are specific to a given environment. Instead of each user having the same role in all environments of an organization, you can assign a specific role or roles for that user for eachenvironment.

When you first configure Apigee and create theGoogle Cloud project to which the Apigee organization isbound, you typically add a few users with different roles likeAPI Admin andEnvironment Admin. Because these users are defined at the Cloud Project project level, they canaccessall environments with the roles granted.

If you grant access using the Apigee UI, you can set roles of existing users at theenvironment level.

Note: Before you can add a new user (and specify environment-specific access for that new user) in the Apigee UI, you must grant that user access to the Google Cloud project, as described inManaging access in Google Cloud.

Roles you assign in the Google Cloud project apply to all environments. Roles you assign in the UI apply only to the selected environment.

The roles list displays only predefined roles.

Note: Roles assigned to specific environments, as explained in this topic, only affect resources that are under theresource hierarchy that includes Apigee Environment resources. You can identify which resources are in the Environment resource hierarchy by examining theApigee API documentation. For example, theorganizations.environments.deployments resource is in theEnvironments resource hierarchy.

For all other permissions for Apigee resource access, seeManaging access in Google Cloud.

Add user accounts in the Apigee UI

To specify user permissions for an environment:

1. Ensure that you have already added the user to your Google Cloud project. For information on adding users to a Google Cloud project, seeGranting, changing, and revoking access to resources.

2. In the Google Cloud console, go to theManagement> Environments page.

   Go to Environments

   Note: If you see the message below at the top of the UI, you need toprovision your Apigee organization before proceeding further.

   

   After you have provisioned Apigee, close the UI and then reopen it.

3. Select the environment you wish to edit from the list of available environments.
4. Click theAccess tab on theEnvironment details page.

   The UI displays a list of current user accounts and roles for the selected environment.

5. Click+Grant Access.

   TheGrant Access pane displays.

6. Enter the user's email account in the first field. This email address is typically one of the following:
   • An individualGoogle account (for example,fred@gmail.com). All Gmail accounts are Google accounts, but you can also register email addresses with different domains as Google accounts.
   • A Google Group alias. For example,address@googlegroups.com.
   • A service account. For example,address@example.gserviceaccount.com.
   • A Google Workspace domain. For example,address@example.com, whereexample.com is a domain that you used when you signed up for Google Cloud services.
7. Select a role from theRole(s) list and clickOK. You can add more than one role for each user. For details on available roles, seeApigee roles andIAM permissions reference.
8. ClickGrant.
9. Repeat this process for each environment for which you want to specify the user's role.

You can remove a user account from an environment using the UI, but that user account will still have the access that it was granted in theGoogle Cloud console unless you also remove the user from the Console by default.

Remove user accounts

Removing a user at the environment level does not remove the user at the Google Cloud project level. As aresult, the user can still access all environments with their Google Cloud project level permissions.

To revoke the user's access entirely, you must remove them from the Google Cloud project as described inRevoking Access to Google Cloud Platform.

To remove a user from an environment:

1. In the Google Cloud console, go to theManagement> Environments page.

   Go to Environments

2. Select the environment name you wish to edit from the list of available environments.
3. Click theAccess tab on theEnvironment details page.

   The UI displays a list of current user accounts and roles for the selected environment.

4. In the user's row, clickmore_vertActions, and selectRemove.

   The UI displays a confirmation dialog box.

5. ClickRemove Access.

   The UI removes that user from the environment.

   Note: Removing a user at the environment level does not remove the user at the Google Cloud project level. To remove a user entirely, you must also remove that user from the Google Cloud project by using the Console, as described inRevoking Access to Google Cloud Platform.

Change user roles in the Apigee UI

You can change a user's role on a per-environment basis by using the Apigee UI. This includesadding additional roles to a user account or removing one or more roles from the user account.

To change a user's roles for an environment:

1. In the Google Cloud console, go to theManagement> Environments page.

   Go to Environments

2. Select the environment name you wish to edit from the list of available environments.
3. Click theAccess tab on theEnvironment details page.

   The UI displays a list of current user accounts and roles for the selected environment.

4. In the user's row, clickmore_vertActions, and selectEdit.

   The UI displays theManage Roles pane.

5. Do one of the following:
   1. To remove a role: Clear the checkbox next to that role.
   2. To add another role: Select the checkbox next to the role you wish to add.
6. ClickOK.
7. ClickUpdate.

   The UI applies your changes to the user in that environment.

   Note: Changing roles at the environment level does not affect the user's roles at the Google Cloud project level. For information on changing roles at the Google Cloud project level, seeGranting, changing, and revoking access to resources.