API Permissions
The Cloud Manager API is accessed using a technical service account created using the Adobe Developer Console. This service account can only be used to access the API -- it does not have a normal password and so cannot be used to log into Cloud Manager or Experience Cloud in general. Although this service account is effectively created by an individual, it is "owned" by the organization. As a result, when looking at the permissions required to use the Cloud Manager API, there are two separate permissions to consider. The first is the permission required to create the project in the Adobe Developer Console. The second is the permission assigned to the service account.
Developer Console Project Creation Permission
Creating a project with the Cloud Manager API in the Adobe Developer Console is allowed for authenticated users who are either System Administrators in the target organization or are assigned Developer Access for one of more Cloud Manager product profiles. A user who is a System Administrator in the target organization can create projects in Developer Console with any of the Cloud Manager product profiles whereas a user with Developer Access is explicitly allowed to create projects using a subset of product profiles.
To assign a user Developer Access, in the Adobe Admin Console, click the Add Developer link. Enter the email address and click the Assign Products tab. Then select the product and product profiles desired before clicking Save. For example, in the image below, the user would have the ability to create projects in Adobe Developer Console with the Cloud Manager - Deployment Manager product profile.
It is important to understand that this does not enable this user (
developer@myco.comin this example) to actually log into Cloud Manager, Adobe Experience Manager or any other Experience Cloud product. This only enables this user to create projects in Adobe Developer Console with the Cloud Manager API.
Cloud Manager API Permissions
Interactions with the Cloud Manager API using the service account are permitted based on the product profiles assigned to the service account. When creating or editing a project in Adobe Developer Console, the product profiles for that project are selectable.
Which profiles are listed here depends on the user -- if this was done using the
developer@myco.comuser created above, only theCloud Manager - Deployment Managerproduct profile would be displayed.
Which product profile(s) or permission(s) to select depends upon the specific requirements for the project and what APIs will be accessed. Either a pre-defined product profile can be assigned or with custom permissions, a permission can be assigned to a custom profile for respective operation.
With a few exception (listed below), if only read (GET) access is required, the Developer product profile will be sufficient. Guidance for projects which require specific profiles:
Detailed Permission Information
| Operation | Product Profile(s) | Permission |
|---|---|---|
deleteProgram | Business Owner | Not configurable |
DELETE /api/program/{programId} | ||
updateCertificate | Deployment Manager, Business Owner | SSL Certificate Manage |
PUT /api/program/{programId}/certificate/{certificateId} | ||
deleteCertificate | Deployment Manager, Business Owner | SSL Certificate Manage |
DELETE /api/program/{programId}/certificate/{certificateId} | ||
createCertificate | Deployment Manager, Business Owner | SSL Certificate Manage |
POST /api/program/{programId}/certificates | ||
getContentFlow | Deployment Manager | Content Copy Manage |
GET /api/program/{programId}/contentFlow/{contentFlowId} | ||
cancelContentFlow | Deployment Manager | Content Copy Manage |
DELETE /api/program/{programId}/contentFlow/{contentFlowId} | ||
getContentFlowLogs | Deployment Manager | Content Copy Manage |
GET /api/program/{programId}/contentFlow/{contentFlowId}/logs | ||
downloadLogs | Deployment Manager | Content Copy Manage |
GET /api/program/{programId}/contentFlow/{contentFlowId}/logs/download | ||
listContentFlows | Deployment Manager | Content Copy Manage |
GET /api/program/{programId}/contentFlows | ||
deleteContentSet | Deployment Manager | Content Copy Manage |
DELETE /api/program/{programId}/contentSet/{contentSetId} | ||
updateContentSet | Deployment Manager | Content Copy Manage |
PUT /api/program/{programId}/contentSet/{contentSetId} | ||
getContentSet | Deployment Manager | Content Copy Manage |
GET /api/program/{programId}/contentSet/{contentSetId} | ||
createContentSet | Deployment Manager | Content Copy Manage |
POST /api/program/{programId}/contentSets | ||
listContentSets | Deployment Manager | Content Copy Manage |
GET /api/program/{programId}/contentSets | ||
updateEnvironmentDomainName | Deployment Manager, Business Owner | Domain Name Manage |
PUT /api/program/{programId}/domainName/{domainNameId} | ||
deleteEnvironmentDomainName | Deployment Manager, Business Owner | Domain Name Manage |
DELETE /api/program/{programId}/domainName/{domainNameId} | ||
deployDomainName | Deployment Manager, Business Owner | Domain Name Manage |
POST /api/program/{programId}/domainName/{domainNameId}/deploy | ||
verifyDomainName | Deployment Manager, Business Owner | Domain Name Manage |
POST /api/program/{programId}/domainName/{domainNameId}/verify | ||
createEnvironmentDomainName | Deployment Manager, Business Owner | Domain Name Manage |
POST /api/program/{programId}/domainNames | ||
validateDomainName | Deployment Manager, Business Owner | Domain Name Manage |
POST /api/program/{programId}/domainNames/validate | ||
deleteEnvironment | Business Owner, Deployment Manager | Not Configurable |
DELETE /api/program/{programId}/environment/{environmentId} | ||
enableEnvironmentAdvancedNetworkingConfiguration | Deployment Manager, Business Owner | Environment Edit |
PUT /api/program/{programId}/environment/{environmentId}/advancedNetworking | ||
disableEnvironmentAdvancedNetworkingConfiguration | Deployment Manager, Business Owner | Environment Edit |
DELETE /api/program/{programId}/environment/{environmentId}/advancedNetworking | ||
createContentFlow | Deployment Manager | Content Copy Manage |
POST /api/program/{programId}/environment/{environmentId}/contentFlow | ||
getEnvironmentLogs | Deployment Manager, Developer | Environment Logs Read |
GET /api/program/{programId}/environment/{environmentId}/logs | ||
downloadLogs | Deployment Manager | Content Copy Manage |
GET /api/program/{programId}/environment/{environmentId}/logs/download | ||
createRegionDeployment | Deployment Manager, Business Owner | Environment Edit |
POST /api/program/{programId}/environment/{environmentId}/regionDeployments | ||
patchRegionDeployment | Deployment Manager, Business Owner | Environment Edit |
PATCH /api/program/{programId}/environment/{environmentId}/regionDeployments | ||
resetRde | Developer | Rapid Dev Environment Reset |
PUT /api/program/{programId}/environment/{environmentId}/reset | ||
restoreExecution | Deployment Manager | Environment Restore Create |
PUT /api/program/{programId}/environment/{environmentId}/restoreExecution | ||
patchEnvironmentVariables | Deployment Manager | Environment Variables Manage |
PATCH /api/program/{programId}/environment/{environmentId}/variables | ||
createEnvironment | Deployment Manager, Business Owner | Environment Create |
POST /api/program/{programId}/environments | ||
addFeedback | Business Owner, Deployment Manager, Program Manager, Developer | Any product profile is sufficient |
POST /api/program/{programId}/feedbacks | ||
updateIPAllowlist | Deployment Manager, Business Owner | IP Allowlist Manage |
PUT /api/program/{programId}/ipAllowlist/{ipAllowlistId} | ||
deleteIPAllowlist | Deployment Manager, Business Owner | IP Allowlist Manage |
DELETE /api/program/{programId}/ipAllowlist/{ipAllowlistId} | ||
deleteIPAllowlistBinding | Deployment Manager, Business Owner | IP Allowlist Manage |
DELETE /api/program/{programId}/ipAllowlist/{ipAllowlistId}/binding/{ipAllowlistBindingId} | ||
retryIPAllowlistBinding | Deployment Manager, Business Owner | IP Allowlist Manage |
PUT /api/program/{programId}/ipAllowlist/{ipAllowlistId}/binding/{ipAllowlistBindingId}/retry | ||
createIPAllowlistBinding | Deployment Manager, Business Owner | IP Allowlist Manage |
POST /api/program/{programId}/ipAllowlist/{ipAllowlistId}/bindings | ||
createIPAllowlist | Deployment Manager, Business Owner | IP Allowlist Manage |
POST /api/program/{programId}/ipAllowlists | ||
updateNetworkInfrastructure | Business Owner | Network Infrastructure Manage |
PUT /api/program/{programId}/networkInfrastructure/{networkInfrastructureId} | ||
deleteNetworkInfrastructure | Business Owner | Network Infrastructure Manage |
DELETE /api/program/{programId}/networkInfrastructure/{networkInfrastructureId} | ||
createNetworkInfrastructure | Business Owner | Network Infrastructure Manage |
POST /api/program/{programId}/networkInfrastructures | ||
getNewRelicSubAccountUserList | Deployment Manager, Business Owner | New Relic Sub Account User Manage |
GET /api/program/{programId}/newRelicUsers | ||
createDeleteNewRelicSubAccountUsers | Deployment Manager, Business Owner | New Relic Sub Account User Manage |
PATCH /api/program/{programId}/newRelicUsers | ||
deletePipeline | Deployment Manager | Pipeline Delete |
DELETE /api/program/{programId}/pipeline/{pipelineId} | ||
patchPipeline | Deployment Manager | Pipeline Edit |
PATCH /api/program/{programId}/pipeline/{pipelineId} | ||
invalidateCache | Deployment Manager | Pipeline Cache Invalidation |
DELETE /api/program/{programId}/pipeline/{pipelineId}/cache | ||
startPipeline | Business Owner, Deployment Manager, Program Manager | Pipeline Executions Start |
PUT /api/program/{programId}/pipeline/{pipelineId}/execution | ||
advancePipelineExecution | Business Owner, Deployment Manager, Program Manager | Production Deployments Approve/Reject, Production Deployments Schedule, Override/Reject Important Metric Failures |
PUT /api/program/{programId}/pipeline/{pipelineId}/execution/{executionId}/phase/{phaseId}/step/{stepId}/advance | ||
cancelPipelineExecutionStep | Business Owner, Deployment Manager, Program Manager Note - Program Manager role is limited to cancelling steps with the status of WAITING. | Pipeline Executions Cancel, Production Deployments Approve/Reject, Production Deployments Schedule, Override/Reject Important Metric Failures |
PUT /api/program/{programId}/pipeline/{pipelineId}/execution/{executionId}/phase/{phaseId}/step/{stepId}/cancel | ||
patchPipelineVariables | Deployment Manager | Pipeline Edit |
PATCH /api/program/{programId}/pipeline/{pipelineId}/variables | ||
getPipelineVariables | Business Owner, Deployment Manager, Program Manager, Developer | Program Access |
GET /api/program/{programId}/pipeline/{pipelineId}/variables | ||
addProgram | Business Owner | Program Create |
POST /api/tenant/{tenantId}/programs | ||
