This pageapplies toApigee andApigee hybrid.

View Apigee Edge documentation.

Auser represents an authenticated account that can access an organization and theentities within that organization, such as the environments, API proxies, and keystores.

To add a new user to your Apigee organization, you grant access to the user'saccount,first in the Cloud project and then in the Apigee UI. (This document uses the termsuseranduser account interchangeably.)

When you add a new user, you typically:

1. In the Console, assign the new user to one or more roles in your Cloud project. This gives the user broad access to all environments in the organization.

   For more information, seeManaging access in the Console.

2. In the Apigee UI, grant additional user roles in one or more environments in your Apigee organization. Note that environment-scoped user roles do not supersede roles granted at the Google Cloud level; they are additive.

   For more information, seeManage users in the Apigee UI.

The capabilities that you grant to the user account depend on the type ofrole that you assign to them. A role is a collection ofpermissions. You cannot grant a permission to the user directly. Instead, you grant them a role. For example, you might assign a developer to the role ofAPI Admin so thatthey can create API proxies,KVM, and shared flows. For someone that will deployproxies, you might assign them to the role ofEnvironment Admin, which grants them the ability todeploy and undeploy API proxy revisions. For details about all Apigee roles, seeApigee roles.

Additionally, the resources that a user can access based on their role depends onwhereyou assigned the role:

• Google Cloud project - If you assign a role in the Console (on the Google Cloud project), then the user can access all Apigee resources—all environments and resources within those environments—in that role. This is because the Cloud project is theparent of the Apigee UI in the resource hierarchy; the permissions set on the parent (the Cloud project) are inherited by all children (environments). You can refine this access by specifying user roles on aper environment basis in the Apigee UI.

  Access control in Google Cloud Platform is controlled by Identity and Access Management(IAM). IAM lets you set permissions specifyingwho haswhat kind of access towhich resources in your project. Formore information, seeConcepts related toidentity.

  Users are a type ofprincipal, a broad term that refers to an identity that can be grantedaccess to resources. Other types of Cloud principals include service accounts, Google groups, and G Suitedomains. For more information, seethis overview of Cloud Identity andAccess Management.

• Environment access - Granting a user role for a specific environment does not supersede roles set at the Google Cloud project level. At the environment level, roles granted to a user are represented as a union with any Cloud roles assigned to the user.

For example, if you define a user as anAPI Admin on the Cloud project, then that user will have access—as anAPI Admin— to all environments in your organization.

Role recommendations

Apigee recommends that you do the following for each new user account that you add. (When addingsuper users or administrators, this is not necessary.):

1. In the Console, add the new user account and select a role that has a minimal set of permissions. For example, set the role of a new user toAPI Admin. SeeManaging access in Google Cloud.
2. In the Apigee UI'sEnvironment Access view, add the user and set any additional user roles for each environment in the organization as described inManage users. Note that environment-scoped roles set in the Apigee UI do not supersede roles set at the Google Cloud level, they are additive.