Apigee RBAC Incorrect Behaviour - Role API

Google Cloud Apigee
, , ,
1

I am trying to set up a role based access control and the resouce permission api seems not working as expected.

{
    "resourcePermission": [
        {
          "path": "/applications/azp-retail-*",
          "permissions": [
            "get",
            "put",
            "delete"
          ]
        },
        {
          "path": "/applications/azp-retail-*/revisions",
          "permissions": [
            "get"
          ]
        },
        {
          "path": "/applications/azp-retail-*/revisions/*",
          "permissions": [
            "get",
            "put",
            "delete"
          ]
        },
        {
          "path": "/applications/azp-retail-*/deployments",
          "permissions": [
            "get"
          ]
        },
        {
          "path": "/applications/azp-retail-*/revisions/*/deployments",
          "permissions": [
            "get",
            "put"
          ]
        },
        {
          "path": "/environments/dev/applications/azp-retail-*/deployments",
          "permissions": [
            "get"
          ]
        },
        {
          "path": "/environments/dev/applications/azp-retail-*/revisions/*/deployments",
          "permissions": [
            "get",
            "put",
            "delete"
          ]
        },
        {
          "path": "/applications/azp-retail-*/revisions/*/policies",
          "permissions": [
            "get",
            "put"
          ]
        },
        {
          "path": "/applications/azp-retail-*/revisions/*/policies/*",
          "permissions": [
            "get"
          ]
        }
      ]
}

I am expecting the role to manage dev proxies with azp-retail prefix.

However post creation, UI shows the below.

vipinev_1-1742544895057.png
vipinev_1-1742544895057.png1708×806 71.5 KB

It allows to edit, delete all proxies.

If you try to delete this permission via console it says it doesnt exists.

Also when you login as a user with this role, I can edit/delete all proxies.

2

Hey @vipinev ,

We’ve seen that your question hasn’t gotten a response yet. We’ll keep checking in on this thread and encourage other members to share their thoughts.

3

Hi,

Thanks for this question. Creating custom RBAC rules can be complicated. Apigee just released a new feature that we call Spaces that greatly simplifies ownership management of Proxies, Shared Flows, and Products.

Apigee Spaces enables identity-based isolation and grouping of API resources within an Apigee organization. With Apigee Spaces, you can have granular IAM control over access to your API proxies, shared flows and API products.

You can create multiple Spaces in the same organization for different teams, development projects, or environments and set the IAM controls for each Space. Any API resources created under a Space will inherit the IAM policies applied to that Space.

See: https://cloud.google.com/apigee/docs/api-platform/system-administration/spaces/apigee-spaces-overview

Using Spaces also eliminates the need for team based naming conventions, although you are welcome to continue to use them.

Take a look, I think Spaces will help you out.