API Permissions
The Cloud Manager API is accessed using a technical service account created using the Adobe Developer Console. This service account can only be used to access the API -- it does not have a normal password and so cannot be used to log into Cloud Manager or Experience Cloud in general. Although this service account is effectively created by an individual, it is "owned" by the organization. As a result, when looking at the permissions required to use the Cloud Manager API, there are two separate permissions to consider. The first is the permission required to create the project in the Adobe Developer Console. The second is the permission assigned to the service account.
Developer Console Project Creation Permission
Creating a project with the Cloud Manager API in the Adobe Developer Console is allowed for authenticated users who are either System Administrators in the target organization or are assigned Developer Access for one of more Cloud Manager product profiles. A user who is a System Administrator in the target organization can create projects in Developer Console with any of the Cloud Manager product profiles whereas a user with Developer Access is explicitly allowed to create projects using a subset of product profiles.
To assign a user Developer Access, in the Adobe Admin Console, click the Add Developer link. Enter the email address and click the Assign Products tab. Then select the product and product profiles desired before clicking Save. For example, in the image below, the user would have the ability to create projects in Adobe Developer Console with the Cloud Manager - Deployment Manager product profile.
It is important to understand that this does not enable this user (
developer@myco.comin this example) to actually log into Cloud Manager, Adobe Experience Manager or any other Experience Cloud product. This only enables this user to create projects in Adobe Developer Console with the Cloud Manager API.
Cloud Manager API Permissions
Interactions with the Cloud Manager API using the service account are permitted based on the product profiles assigned to the service account. When creating or editing a project in Adobe Developer Console, the product profiles for that project are selectable.
Which profiles are listed here depends on the user -- if this was done using the
developer@myco.comuser created above, only theCloud Manager - Deployment Managerproduct profile would be displayed.
Which product profile(s) or permission(s) to select depends upon the specific requirements for the project and what APIs will be accessed. Either a pre-defined product profile can be assigned or with custom permissions, a permission can be assigned to a custom profile for respective operation.
With a few exception (listed below), if only read (GET) access is required, the Developer product profile will be sufficient. Guidance for projects which require specific profiles:
Detailed Permission Information
deleteProgram DELETE /api/program/\{programId\}updateCertificate PUT /api/program/\{programId\}/certificate/\{certificateId\}deleteCertificate DELETE /api/program/\{programId\}/certificate/\{certificateId\}createCertificate POST /api/program/\{programId\}/certificatesgetContentFlow GET /api/program/\{programId\}/contentFlow/\{contentFlowId\}cancelContentFlow DELETE /api/program/\{programId\}/contentFlow/\{contentFlowId\}getContentFlowLogs GET /api/program/\{programId\}/contentFlow/\{contentFlowId\}/logsdownloadLogs GET /api/program/\{programId\}/contentFlow/\{contentFlowId\}/logs/downloadlistContentFlows GET /api/program/\{programId\}/contentFlowsdeleteContentSet DELETE /api/program/\{programId\}/contentSet/\{contentSetId\}updateContentSet PUT /api/program/\{programId\}/contentSet/\{contentSetId\}getContentSet GET /api/program/\{programId\}/contentSet/\{contentSetId\}createContentSet POST /api/program/\{programId\}/contentSetslistContentSets GET /api/program/\{programId\}/contentSetsupdateEnvironmentDomainName PUT /api/program/\{programId\}/domainName/\{domainNameId\}deleteEnvironmentDomainName DELETE /api/program/\{programId\}/domainName/\{domainNameId\}deployDomainName POST /api/program/\{programId\}/domainName/\{domainNameId\}/deployverifyDomainName POST /api/program/\{programId\}/domainName/\{domainNameId\}/verifycreateEnvironmentDomainName POST /api/program/\{programId\}/domainNamesvalidateDomainName POST /api/program/\{programId\}/domainNames/validatedeleteEnvironment DELETE /api/program/\{programId\}/environment/\{environmentId\}enableEnvironmentAdvancedNetworkingConfiguration PUT /api/program/\{programId\}/environment/\{environmentId\}/advancedNetworkingdisableEnvironmentAdvancedNetworkingConfiguration DELETE /api/program/\{programId\}/environment/\{environmentId\}/advancedNetworkingcreateContentFlow POST /api/program/\{programId\}/environment/\{environmentId\}/contentFlowgetEnvironmentLogs GET /api/program/\{programId\}/environment/\{environmentId\}/logsdownloadLogs GET /api/program/\{programId\}/environment/\{environmentId\}/logs/downloadcreateRegionDeployment POST /api/program/\{programId\}/environment/\{environmentId\}/regionDeploymentspatchRegionDeployment PATCH /api/program/\{programId\}/environment/\{environmentId\}/regionDeploymentsresetRde PUT /api/program/\{programId\}/environment/\{environmentId\}/resetrestoreExecution PUT /api/program/\{programId\}/environment/\{environmentId\}/restoreExecutionpatchEnvironmentVariables PATCH /api/program/\{programId\}/environment/\{environmentId\}/variablescreateEnvironment POST /api/program/\{programId\}/environmentsaddFeedback POST /api/program/\{programId\}/feedbacksupdateIPAllowlist PUT /api/program/\{programId\}/ipAllowlist/\{ipAllowlistId\}deleteIPAllowlist DELETE /api/program/\{programId\}/ipAllowlist/\{ipAllowlistId\}deleteIPAllowlistBinding DELETE /api/program/\{programId\}/ipAllowlist/\{ipAllowlistId\}/binding/\{ipAllowlistBindingId\}retryIPAllowlistBinding PUT /api/program/\{programId\}/ipAllowlist/\{ipAllowlistId\}/binding/\{ipAllowlistBindingId\}/retrycreateIPAllowlistBinding POST /api/program/\{programId\}/ipAllowlist/\{ipAllowlistId\}/bindingscreateIPAllowlist POST /api/program/\{programId\}/ipAllowlistsupdateNetworkInfrastructure PUT /api/program/\{programId\}/networkInfrastructure/\{networkInfrastructureId\}deleteNetworkInfrastructure DELETE /api/program/\{programId\}/networkInfrastructure/\{networkInfrastructureId\}createNetworkInfrastructure POST /api/program/\{programId\}/networkInfrastructuresgetNewRelicSubAccountUserList GET /api/program/\{programId\}/newRelicUserscreateDeleteNewRelicSubAccountUsers PATCH /api/program/\{programId\}/newRelicUsersdeletePipeline DELETE /api/program/\{programId\}/pipeline/\{pipelineId\}patchPipeline PATCH /api/program/\{programId\}/pipeline/\{pipelineId\}invalidateCache DELETE /api/program/\{programId\}/pipeline/\{pipelineId\}/cachestartPipeline PUT /api/program/\{programId\}/pipeline/\{pipelineId\}/executionadvancePipelineExecution PUT /api/program/\{programId\}/pipeline/\{pipelineId\}/execution/\{executionId\}/phase/\{phaseId\}/step/\{stepId\}/advancecancelPipelineExecutionStep PUT /api/program/\{programId\}/pipeline/\{pipelineId\}/execution/\{executionId\}/phase/\{phaseId\}/step/\{stepId\}/cancelpatchPipelineVariables PATCH /api/program/\{programId\}/pipeline/\{pipelineId\}/variablesgetPipelineVariables GET /api/program/\{programId\}/pipeline/\{pipelineId\}/variablesaddProgram POST /api/tenant/\{tenantId\}/programs