Edit in GitHubLog an issue

API Permissions

The Cloud Manager API is accessed using a technical service account created using the Adobe Developer Console. This service account can only be used to access the API -- it does not have a normal password and so cannot be used to log into Cloud Manager or Experience Cloud in general. Although this service account is effectively created by an individual, it is "owned" by the organization. As a result, when looking at the permissions required to use the Cloud Manager API, there are two separate permissions to consider. The first is the permission required to create the project in the Adobe Developer Console. The second is the permission assigned to the service account.

Developer Console Project Creation Permission#

Creating a project with the Cloud Manager API in the Adobe Developer Console is allowed for authenticated users who are either System Administrators in the target organization or are assigned Developer Access for one of more Cloud Manager product profiles. A user who is a System Administrator in the target organization can create projects in Developer Console with any of the Cloud Manager product profiles whereas a user with Developer Access is explicitly allowed to create projects using a subset of product profiles.

To assign a user Developer Access, in the Adobe Admin Console, click the Add Developer link. Enter the email address and click the Assign Products tab. Then select the product and product profiles desired before clicking Save. For example, in the image below, the user would have the ability to create projects in Adobe Developer Console with the Cloud Manager - Deployment Manager product profile.

Set Developer Access Product Profiles

It is important to understand that this does not enable this user (developer@myco.com in this example) to actually log into Cloud Manager, Adobe Experience Manager or any other Experience Cloud product. This only enables this user to create projects in Adobe Developer Console with the Cloud Manager API.

Cloud Manager API Permissions#

Interactions with the Cloud Manager API using the service account are permitted based on the product profiles assigned to the service account. When creating or editing a project in Adobe Developer Console, the product profiles for that project are selectable.

Set Service Account Product Profiles

Which profiles are listed here depends on the user -- if this was done using the developer@myco.com user created above, only the Cloud Manager - Deployment Manager product profile would be displayed.

Which product profile(s) to select depends upon the specific requirements for the project and what APIs will be accessed. With a few exception (listed below), if only read (GET) access is required, the Developer product profile will be sufficient. Guidance for projects which require specific profiles:

Detailed Permission Information#

OperationProduct Profile(s)
deleteProgramBusiness Owner, Deployment Manager
DELETE /api/program/{programId}
updateCertificateDeployment Manager, Business Owner
PUT /api/program/{programId}/certificate/{certificateId}
deleteCertificateDeployment Manager, Business Owner
DELETE /api/program/{programId}/certificate/{certificateId}
createCertificateDeployment Manager, Business Owner
POST /api/program/{programId}/certificates
updateEnvironmentDomainNameDeployment Manager, Business Owner
PUT /api/program/{programId}/domainName/{domainNameId}
deleteEnvironmentDomainNameDeployment Manager, Business Owner
DELETE /api/program/{programId}/domainName/{domainNameId}
deployDomainNameDeployment Manager, Business Owner
POST /api/program/{programId}/domainName/{domainNameId}/deploy
verifyDomainNameDeployment Manager, Business Owner
POST /api/program/{programId}/domainName/{domainNameId}/verify
createEnvironmentDomainNameDeployment Manager, Business Owner
POST /api/program/{programId}/domainNames
validateDomainNameDeployment Manager, Business Owner
POST /api/program/{programId}/domainNames/validate
deleteEnvironmentBusiness Owner, Deployment Manager
DELETE /api/program/{programId}/environment/{environmentId}
enableEnvironmentAdvancedNetworkingConfigurationDeployment Manager, Business Owner
PUT /api/program/{programId}/environment/{environmentId}/advancedNetworking
disableEnvironmentAdvancedNetworkingConfigurationDeployment Manager, Business Owner
DELETE /api/program/{programId}/environment/{environmentId}/advancedNetworking
getEnvironmentLogsDeployment Manager
GET /api/program/{programId}/environment/{environmentId}/logs
downloadLogsDeployment Manager, Developer
GET /api/program/{programId}/environment/{environmentId}/logs/download
restoreExecutionDeployment Manager
PUT /api/program/{programId}/environment/{environmentId}/restoreExecution
patchEnvironmentVariablesDeployment Manager
PATCH /api/program/{programId}/environment/{environmentId}/variables
createEnvironmentDeployment Manager, Business Owner
POST /api/program/{programId}/environments
updateIPAllowlistDeployment Manager
PUT /api/program/{programId}/ipAllowlist/{ipAllowlistId}
deleteIPAllowlistDeployment Manager
DELETE /api/program/{programId}/ipAllowlist/{ipAllowlistId}
deleteIPAllowlistBindingDeployment Manager
DELETE /api/program/{programId}/ipAllowlist/{ipAllowlistId}/binding/{ipAllowlistBindingId}
retryIPAllowlistBindingDeployment Manager
PUT /api/program/{programId}/ipAllowlist/{ipAllowlistId}/binding/{ipAllowlistBindingId}/retry
createIPAllowlistBindingDeployment Manager
POST /api/program/{programId}/ipAllowlist/{ipAllowlistId}/bindings
createIPAllowlistDeployment Manager
POST /api/program/{programId}/ipAllowlists
updateNetworkInfrastructureBusiness Owner
PUT /api/program/{programId}/networkInfrastructure/{networkInfrastructureId}
deleteNetworkInfrastructureBusiness Owner
DELETE /api/program/{programId}/networkInfrastructure/{networkInfrastructureId}
createNetworkInfrastructureBusiness Owner
POST /api/program/{programId}/networkInfrastructures
getNewRelicSubAccountUserListDeployment Manager, Business Owner
GET /api/program/{programId}/newRelicUsers
createDeleteNewRelicSubAccountUsersDeployment Manager, Business Owner
PATCH /api/program/{programId}/newRelicUsers
deletePipelineDeployment Manager
DELETE /api/program/{programId}/pipeline/{pipelineId}
patchPipelineDeployment Manager
PATCH /api/program/{programId}/pipeline/{pipelineId}
invalidateCacheDeployment Manager
DELETE /api/program/{programId}/pipeline/{pipelineId}/cache
startPipelineBusiness Owner, Deployment Manager, Program Manager
PUT /api/program/{programId}/pipeline/{pipelineId}/execution
advancePipelineExecutionBusiness Owner, Deployment Manager, Program Manager
PUT /api/program/{programId}/pipeline/{pipelineId}/execution/{executionId}/phase/{phaseId}/step/{stepId}/advance
cancelPipelineExecutionStepBusiness Owner, Deployment Manager, Program Manager
Note - Program Manager role is limited to cancelling steps with the status of WAITING.
PUT /api/program/{programId}/pipeline/{pipelineId}/execution/{executionId}/phase/{phaseId}/step/{stepId}/cancel
patchPipelineVariablesDeployment Manager
PATCH /api/program/{programId}/pipeline/{pipelineId}/variables
getPipelineVariablesDeployment Manager
GET /api/program/{programId}/pipeline/{pipelineId}/variables
addProgramBusiness Owner
POST /api/tenant/{tenantId}/programs
  • Privacy
  • Terms of Use
  • Do not sell my personal information
  • AdChoices
Copyright © 2022 Adobe. All rights reserved.