How to maintain a global system admin user?

Google Cloud Apigee
1

During the installation of a “global system Admin / global admin password” is created.

What is the correct approach to maintain this user. Can there be more than one admin user ?

What distinguishes the global admin user from other users.

In case there can be only 1 admin user, how can I replace the user by a different one ( = different email address) ?

2

Only one user is used for administrative tasks by the built in scripts. That user is defined in the ADMIN_EMAIL variable, found in your apigee-env.sh file located in the apigee4/bin subdirectory. If you want to change the user ID that your management scripts use, change that variable. While only a single user is used for administrative tasks, there can be more than one global sysadmin user. Any user who is a member of the “sysadmin” global user role will have full permissions to all resources. To create a new user, use the following example call (replace values between <> brackets):

> curl -u <ADMIN_USER>:<ADMIN_PASS> [http://<MSIP>:<PORT>/v1/users](http://<MSIP>:<PORT>/v1/users) -X POST -H content-type:application/json -d '{"emailId": "testuser@yourdomain.com", "firstName": "test", "lastName": "test", "password": "SecretPassword123!"}'

Once you have created a new global user, add that user to the global sysadmin role with the following example call (replace values between <> brackets):

> curl -u <ADMIN_USER>:<ADMIN_PASS> [http://<MSIP>:<PORT>/v1/userroles/sysadmin/users](http://<MSIP>:<PORT>/v1/userroles/sysadmin/users) -X POST -d "id=testuser@yourdomain.com"

The new user will have the same permissions as your existing global sysadmin user. If you would like to use that user for administrative scripts, simply update your apigee-env.sh file. To view users assigned to the global sysadmin role, use the following call:

> curl -u <ADMIN_USER>:<ADMIN_PASS> [http://<MSIP>:<PORT>/v1/userroles/sysadmin/users](http://<MSIP>:<PORT>/v1/userroles/sysadmin/users)
1 Like
3

Thanks Paul, I’ll add this info to the doc.

Stephen

4

A couple additional points on this one:

  1. If you switch to a different user as your global sysadmin account for scripting and administration, be sure to run apigee4/bin/chpasswd-system.sh after you update apigee-env.sh with the new admin email. The chpasswd-system.sh script will update the encrypted credentials that the Apigee Enterprise UI uses to communicate with the management API.

  2. If you simply wish to update the email of the user, you can use the following curl command:

> curl -iu <current_admin_email> 'http://localhost:8080/v1/users/<current_admin_email>' -X PUT -d '{"emailId": "<new_admin_email>", "lastName": "admin", "firstName": "admin"}' -H content-type:application/json