Predefined Roles and Permissions
There are a number of roles and permissions predefined in Policy Manager. Any user added to a role automatically inherits the permissions for that role. If a user is added to multiple roles, that user is granted permissions from all the roles.
gateway
There are a number of roles and permissions predefined in Policy Manager. Any user added to a role automatically inherits the permissions for that role. If a user is added to multiple roles, that user is granted permissions from all the roles.
Role | Permissions | For more information, see... |
Administrator | Create, read, update, and delete any object in the system. | This role provides unrestricted access to the API Gateway . The Policy Manager describes the features from an Administrator perspective. |
Gateway Maintenance | Create, read, and update configuration for the FTP Audit Archiver. Delete any audit record. The hidden cluster property audit.archiver.ftp.config stores the configuration of the FTP Audit Archiver that is visible on the interface. Contact your system administrator before modifying this property. | FTP Audit Archiver |
Invoke Audit Viewer Policy | Users with this role will be permitted to invoke the Audit Viewer Policy. | Invoke the Audit Viewer Policy in Gateway Audit Events. Working with Internal Use Policies |
Manage Administrative Accounts Configuration | Create, read, and update cluster properties applicable to administrative account configuration: logon.maxAllowableAttempts, logon.lockoutTime, logon.sessionExpiry, and logon.inactivityPeriod .These cluster properties can also be set using the Manage Administrative Users task. | Manage Administrative User Account Policy Time Units |
Manage Certificates (truststore) | Create, read, update, and delete trusted certificates and policies for revocation checking. | Certificate Expiration Notification Manage Certificate Validation |
Manage Cluster Properties | Create, read, update, and delete any cluster property. | Manage Cluster-Wide Properties Time Units |
Manage Cluster Status | Create, read, update, and delete cluster status information. | Dashboard - Cluster Status |
Manage Custom Key Value Store | Create, read, update, and delete key values from custom key value store. | Custom Assertions API |
Manage Email Listeners | Create, read, update, and delete email listeners. | Manage Email Listeners |
Manage Encapsulated Assertions | Create, read, update, and delete encapsulated assertions. Read any policy fragment. Read all assertions. | Manage Encapsulated Assertions Working with Policy Fragments |
Manage Firewall Rules | Create, read, update, and delete firewall rules. | Manage Firewall Rules |
Manage JDBC Connections | Create, read, update, and delete JDBC connections. | Manage JDBC Connections |
Manage Listen Ports | Create, read, update, and delete API Gateway listen ports (both HTTP(S) and FTP(S)) and to list published services. | Manage Listen Ports |
Manage Log Sinks | Create, read, update, and delete log sinks. Read access to the following entities:
| Manage Email Listeners Organize Services and Policies into Folders Impact of Security Zones Manage JMS Destinations Manage Listen Ports Manage Log Sinks View Logs Policies "The differentiates between SOAP web services and XML or non-SOAP applications. Collectively referred to as "services", each requires a different publication wizard:" |
Manage Message Destinations | Create, read, update, and delete message destinations. This includes:
| Manage JMS Destinations Manage Listen Ports Managing Private Keys Manage Published Services Manage Stored Passwords |
Manage Modules Installable via Policy Manager | Read, Create, Update, and Delete server module files. | Manage File Server Module Files |
Manage Modules Installable via Policy Manager | Read, Create, Update, and Delete server module files. | Manage Server Module Files |
Manage Password Policies | Read and update the password policy. | Manage Password Policy |
Manage Private Keys | Create, read, update, and delete private keys, as well as ability to change the default SSL key and default CA key. | Manage Private Keys Private Key Properties |
Manage Secure Passwords | Read, create, update, and delete any stored password. | Manage Stored Passwords |
Manage CA Single Sign-On Configuration | Read, create, update, and delete CA Single Sign-On configurations. This includes the Read all secure passwords. | Manage CA Single Sign-On Configurations Manage Stored Passwords |
Manage UDDI Registries | Create, read, update, and delete any UDDI registry connection. | Managing UDDI Registries Publish to UDDI Settings Service Properties |
Manage Web Services | Publish any new web service and edit existing users. Edit a global policy fragment. Create, read, update any policy. Delete any policy, excluding global policy fragments, internal policies, and policy fragments. Read any encapsulated assertion. | Working with SOAP Web Services Working with Global Policy Fragments Service Properties Working with Internal Use Policies Working with Policy Fragments |
Manage [name] Folder | Create, read, update, and delete the contents, including aliases*, of the named folder. If there are nested sub folders, these privileges extend to the sub folder and its contents as well.
| Organizing Services and Policies into Folders Working with Aliases |
Manage [name] Identity Provider | Read, update, and delete the named identity provider. Also create, search, update, and delete its users and groups. | Federated Identity Providers LDAP Identity Providers Federated Identity Provider Users and Groups |
Manage [name] Policy | Read, update, and delete the named policy (either included fragment, global fragment, or internal use policy). Read any encapsulated assertion. | Creating a Policy Encapsulated Assertions |
Manage [name] Service | Read, update, and delete the named service. | "The differentiates between SOAP web services and XML or non-SOAP applications. Collectively referred to as "services", each requires a different publication wizard: Service Properties Encapsulated Assertions |
Manage [name] Zone | Create, read, update, and delete entities in the named security zone. View the root node folder. | Understanding Security Zones Manage Security Zones |
Operator | Read-only access to the API Gateway . | Similar to the Administrator role, except permissions are read only. To allow other permissions, assign other roles. Policy changes made with an Operator role cannot be saved (both [ Save ] and [Save and Activate ] buttons are disabled). However, policy changes can be preserved by exporting the policy. |
Publish External Identity Providers | Create any external (LDAP or Federated) Identity Provider. | Federated Identity Providers LDAP Identity Providers |
Publish Web Services | Publish any new web service. Read any encapsulated assertion. | Publish SOAP Web Service Wizard Search Identity Providers Encapsulated Assertions |
Search Users and Groups | Search and view users and groups in all identity providers. | Search Identity Providers |
View [name] Folder | View the contents of the named folder, including the contents of any nested folders. Does not imply permission to view aliases, unless user also holds a role granting access to the original service or policy. The type of folder role ('Manage' or 'View') does not affect what can be done to an alias. If a folder is nested within another folder, this role can see the parent folder(s) but not the contents of the parent folders. | Organize Services and Policies into Folders Working with Aliases |
View Audit Records | View audits in the Policy Manager. | Gateway Audit Events View Logs |
View Service Metrics | View any cluster node information, published service, service metrics bin, and service usage record. | Dashboard - Cluster Status |
View [name] Log Sink | View the contents of the named log sink, including any log files associated with the sink. | View Logs Manage Log Sinks |
View [name] Zone | View the entities within the named security zone. View the root node folder. | Understanding Security Zones |