Skip to content
2023 API Summit Hackathon: Experiment with AI for APIs (August 28 - September 27) Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
      Docs Contribution Guidelines
      Want to help out, or found an issue in the docs and want to let us know?
  • API Specs
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Konnect
  • Home icon
  • Kong Konnect
  • API
  • Portal Auth
  • Portal RBAC Setup
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Overview
  • Enable RBAC in portal
  • Setup RBAC
    • Create a Team
    • Assign a Role to a Team
    • Add a Developer to a Team
    • Remove a Developer from a Team
  • More information

Portal RBAC Setup

Overview

A common scenario for a Dev Portal is to restrict developers’ ability to view or request access to specific services based on their permissions.

Konnect Dev Portal enables administrators to define Role-Based Access Control (RBAC) for teams of developers through the Konnect API.

Portal RBAC supports two different roles for API products that can be applied to a team of developers:

  • API Viewer: provides read access to the documentation associated with an API product.
  • API Consumer: can register applications to consume versions of an API product.

You can use the API to create a team, assign a role to the team, and finally, add developers to the team.

Enable RBAC in portal

Portal RBAC is deny-by-default which means that if you haven’t configured teams and roles for your developers, then enabling the capability will prevent them from seeing any services in the portal.

We recommend setting up your teams and permissions before enabling RBAC which will allow for a seamless transition: developers see what they’re supposed to, instead of nothing at all.

RBAC is disabled by default in the Konnect portal. To enable RBAC, you must make a PATCH request to the portal configuration endpoint. The following example shows how to enable RBAC in the portal. For more details on how to create your personal access token, see the authentication documentation.

curl --request PATCH \
  --url https://<region>.api.konghq.com/konnect-api/api/portals/{portal-id} \
  --header 'Authorization: Bearer <personal-access-token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "rbac_enabled": true
  }'

The portal-id can be found in Konnect within the Dev Portal section.

Setup RBAC

Create a Team

To create a team, you must make a POST request to the teams endpoint. The following example shows how to create a team.

curl --request POST \
  --url https://<region>.api.konghq.com/v2/portals/{portal-id}/teams \
  --header 'Authorization: Bearer <personal-access-token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "name": "IDM - Developers Team",
    "description": "The Identity Management (IDM) team."
  }'

You can verify that the team has been created by making a GET request to the teams endpoint.

curl --request GET \
  --url https://<region>.api.konghq.com/v2/portals/{portal-id}/teams \
  --header 'Authorization: Bearer <personal-access-token>'

Assign a Role to a Team

Once you have defined a team, the next step is to assign one or more roles to the team.

To get a list of the available roles, make a GET request to the roles endpoint. The following example shows how to get a list of the available roles.

curl --request GET \
  --url https://<region>.api.konghq.com/v2/portal-roles \
  --header 'Authorization: Bearer <personal-access-token>'

Available roles are limited to managing access to API products. In the future, we may expand the types of access that can be managed. The current list of available service roles are:

  • “API Consumer”
  • “API Viewer”

Assigning a role to a team requires a few pieces of information:

  • The entity type (e.g. services)
  • The role to be applied (e.g. API Consumer or API Viewer)
  • The entity id (e.g. 5b349722-dfb4-4e78-937c-41526164fa1a)
  • The region of the entity (e.g. us or eu)

To assign a role to a team, you must make a POST request to the team roles endpoint. The following example shows how to assign the API Viewer role to the team created in the previous section for a particular service with id of 5b349722-dfb4-4e78-937c-41526164fa1a.

curl --request POST \
  --url https://<region>.api.konghq.com/v2/portals/{portal-id}/teams/<team-id>/assigned-roles \
  --header 'Authorization: Bearer <personal-access-token>' \
  --header 'Content-Type: application/json' \
  --data '{
  "role_name": "API Viewer",
  "entity_id": "5b349722-dfb4-4e78-937c-41526164fa1a",
  "entity_type_name": "Services",
  "entity_region": "us"
}'

Each role mapping created has a unique ID that can be used later for removing that role permission.

{
  "id": "8a368199-258e-4e55-81e7-346bbf9c182a",
  "role_name": "API Viewer",
  "entity_region": "us",
  "entity_type_name": "Services",
  "entity_id": "a2df2d4d-127e-4625-b26d-92cbd4a3b930"
}

To remove a role from a team, you must make a DELETE request to the team roles endpoint. The following example shows how to remove the RBAC role from the team created in the previous section.

curl --request DELETE \
  --url https://<region>.api.konghq.com/v2/portals/{portal-id}/teams/{team-id}/assigned-roles/{role-id} \
  --header 'Authorization: Bearer <personal-access-token>'

Add a Developer to a Team

Once a team has been created with one or more RBAC roles, you need to add developers to the team.

Every developer in your portal has a unique ID that can be used for management operations.

You can make a GET request to the developers endpoint to retrieve all the information about individual developers who have registered to the Dev Portal. The following example shows how to make the request.

curl --request GET \
  --url https://<region>.api.konghq.com/v2/portals/{portal-id}/developers \
  --header 'Authorization: Bearer <personal-access-token>'

To add a developer to a team, you make a POST request to the team members endpoint with the unique ID of the developer you want to add. The following example shows how to add a developer to a team.

curl --request POST \
  --url https://<region>.api.konghq.com/v2/portals/{portal-id}/teams/<team-id>/developers \
  --header 'Authorization: Bearer <personal-access-token>' \
  --header 'Content-Type: application/json' \
  --data '{
  "id": "<developer-id>"
}'

Remove a Developer from a Team

To remove a developer from a team, you must make a DELETE request to the team members endpoint with the unique ID of the developer you want to remove. The following example shows how to add a developer to a team.

curl --request DELETE \
  --url https://<region>.api.konghq.com/v2/portals/{portal-id}/teams/{team-id}/developers/{developer-id} \
  --header 'Authorization: Bearer <personal-access-token>' \
  --header 'Content-Type: application/json'

More information

Portal RBAC API documentation

Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023