Access control group (ACG) model

The API registration process in the API Definitions app involves specifying hostnames for publishing your API via Akamai. These hostnames⁠—that you create in Property Manager—are a crucial part of deploying your APIs over the Akamai network. You may associate each registered API with one or more hostnames.

The set of hostnames that you can choose from when registering an API depends on the access control groups (ACGs) associated with your Control Center user. An ACG is a group of users who can view or edit an API. Each ACG has a specific set of hostnames defined in Property Manager. The API hostnames menu gives you access to all the hostnames available to select based on your ACG affiliation.

The Identity and Access Management app in Control Center lets you associate user roles with ACGs. User roles define a user’s level of access to different applications in Control Center. Each user role contains a set of permissions that determine access to specific application functionality in Control Center.

When it comes to API hostnames, the following permissions are relevant:

API Definitions Viewer
Provides read-only capabilities to features in the API Definitions app. When you have a role with this permission assigned to an ACG available for your Control Center user, you may see all hostnames defined under that ACG, but you cannot register API configurations with these hostnames.
API Definitions URL Path Editor
Provides the same capabilities as the API Definitions Viewer role. In addition, lets you view hostnames defined under an ACG and use these hostnames to register API configurations with non-blank base paths and base paths that don’t start with a wildcard (*) or a path parameter (for example “/{book_id}”)
API Definitions Read/Write
Provides read/write capabilities to features in the API Definitions app. When you have a role with this permission assigned to an ACG, you may register API configurations with all hostnames defined under that ACG. Unlike the API Definitions URL Path Editor permission, API Definitions Read/Write lets you specify a base path without any restrictions.
API Definitions Administrator
Gives full access to all settings and controls in the API Definitions app. When you have a role with this permission assigned to an ACG, you may register API configurations with all hostnames defined under that ACG. Unlike the API Definitions URL Path Editor permission, API Definitions Administrator lets you specify a base path without any restrictions.

To learn more about Control Center users, roles, and access management in general, see the Identity and Access Management documentation.

The following graph demonstrates a sample ACG hierarchy:

Sample ACG hierarchy

Each node above represents an ACG associated with a specific set of hostnames. By default, access to each parent ACG is propagated to each child ACG. For example:

  • If you have access to the “A” ACG and its hostnames, you also have access to hostnames associated with the following child ACGs: A, B, C, D, E, F, G.
  • If you have access to the “C” ACG and its hostnames, you also have access to hostnames associated with “F” and “G”.
  • If you have access to the “F” ACG, you only have access to its associated hostnames.

By default, ACGs inherit their parent’s roles. However, if you’re a Control Center administrator, you can change the roles for each child ACG in an ACG tree to Blocked and make the hostnames from that ACG unavailable to users in API Definitions. This gives you a possibility to control access levels of different groups of API developers within your organization..

For an ACG and its associated hostnames to be available for use in API Definitions, a Control Center user needs a role with at least the API Gateway URL Path Editor permission assigned to the ACG. If you’re a Control Center administrator (your user has a role with the API Definitions Administrator permission assigned in the Identity and Access Management app), you can manage the ACG access levels of other users’ in the Identity and Access Management app. A common use case involves assigning roles with the API Definitions URL Path Editor permission to API developers and enabling them to use hostnames from other ACGs. This allows API developers to run traffic through hostnames from external ACGs while preventing them from accessing registered APIs created under these ACGs at the same time. For details on assigning permissions to roles, see Add permissions to a user role.

Important: If you want to associate a hostname with a base path, and that combination is already used in another registered API, you normally receive a prompt that asks you if you want to override the settings with the current configuration. In a case when a hostname and base path are already associated with a parent ACG, and you want to assign them to one of the ACG’s children, API Gateway disallows the override to prevent breaking traffic in the parent ACG’s APIs.