This section describes the Apigee-specific roles that you commonly assign to your users. These
are not the same roles that you assign to service accounts.
Apigee-specific roles
Apigee provides a set of pre-defined (or curated) roles called Apigee roles.
In general, all pre-defined Apigee roles can:
Get and list organizations
Get and list environments (most but not all roles)
Get and list projects
The following table summarizes a few of the main Apigee roles.
Curated Role Name
Description
Analytics Editor
Creates and analyzes reports on API proxy traffic for an Apigee organization. Can edit queries
and reports.
API Admin (V2)
A developer that creates and tests API proxies. This role gives full read/write access to API products and apps,
as well as API proxies, shared flows, and KVMs.
This role replaces the deprecated API Creator role.
API Reader (V2)
Provides read-only access to most Apigee features, including API products, environment
groups, environments, KVMs, proxies, shared flows, and more.
Analytics Viewer
Views analytics data for an organization. This role can get environment stats.
Environment Admin
This role gives full read/write access to Apigee environment resources, including
flow hooks, keystores, KVMs, shared flows, and target servers. For a full listing of
permissions for this role, see Apigee roles
in the Cloud IAM documentation.
Developer Admin
Manages developer access to apps. This role can read API products and can edit app keys,
developer apps, and developers.
Org Admin
A super user that has full access to all Apigee resources in the Apigee organization. This
role can access all available actions for all APIs. This is the only role that can create, delete,
or update organizations.
Read Only Admin
An administrator who can run reports and view everything in the Apigee organization without
the ability to create or change anything. This role has read access to all Apigee resources
within the Apigee organization. Your Google Cloud project's service account is assigned this
role during setup and installation.
You can view these roles and the service account roles in the IAM Permissions
view within Google Cloud console:
To access the IAM Permissions view:
In the Google Cloud console, go to the IAM & Admin > Roles page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis page outlines Apigee-specific roles applicable to both Apigee and Apigee hybrid.\u003c/p\u003e\n"],["\u003cp\u003eApigee offers pre-defined roles, called "Apigee roles," that generally allow for the listing and retrieval of organizations, environments, and projects.\u003c/p\u003e\n"],["\u003cp\u003eRoles such as \u003ccode\u003eAPI Admin\u003c/code\u003e, \u003ccode\u003eAPI Reader\u003c/code\u003e, \u003ccode\u003eAnalytics Editor\u003c/code\u003e, and \u003ccode\u003eEnvironment Admin\u003c/code\u003e grant specific access levels and permissions for managing API proxies, analytics, and environments.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eOrg Admin\u003c/code\u003e role is a super user with complete access to all Apigee resources, and the \u003ccode\u003eRead Only Admin\u003c/code\u003e role allows for comprehensive viewing but no modification abilities.\u003c/p\u003e\n"],["\u003cp\u003eIn addition to Apigee roles, Google Cloud roles are also utilized for managing user permissions within the Apigee platform.\u003c/p\u003e\n"]]],[],null,["# Apigee roles\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\nThis section describes the Apigee-specific roles that you commonly assign to your users. These\nare not the same roles that you assign to service accounts.\n| **Note:** For more information, see [Users and\n| roles](/apigee/docs/api-platform/system-administration/users-roles-overview).\n\nApigee-specific roles\n---------------------\n\nApigee provides a set of pre-defined (or *curated* ) roles called *Apigee roles*.\nIn general, all pre-defined Apigee roles can:\n\n- Get and list organizations\n- Get and list environments (most but not all roles)\n- Get and list projects\n\nThe following table summarizes a few of the main Apigee roles.\n| **Note:** For a complete list of all Apigee roles and their specific permissions, see [Apigee roles](/iam/docs/understanding-roles#apigee-roles).\n\nYou can view these roles and the service account roles in the IAM **Permissions**\nview within Google Cloud console:\n\nTo access the IAM **Permissions** view:\n\nIn the Google Cloud console, go to the **IAM \\& Admin \\\u003e Roles** page.\n\n[Go to Roles](https://console.cloud.google.com/iam-admin/roles)\n\nFor a complete list of API permissions for each role, see [Apigee roles](/iam/docs/understanding-roles#apigee-roles).\n| **Note:** If you create a role in the **IAM \\& Admin \\\u003e Roles** page, be sure to include the permission `apigee.projectorganizations.get` in the role.\n\nIn addition to the Apigee roles, you also apply Google Cloud roles such\nas Logs Writer and Storage Object Admin to your users."]]
