Identity and access management considerations for the API Management landing zone accelerator
This article provides design considerations and recommendations for identity and access management when using the API Management landing zone accelerator. Identity and access management covers multiple aspects including access to manage the API Management instance, API developer access, and client access to APIs.
Learn more about the identity and access management design area.
Design considerations
- Decide on the access management for API Management services through all possible channels including portal, ARM REST API, DevOps, etc.
- Decide on the access management for API Management entities.
- Decide how to sign up and authorize the developer accounts.
- Decide how subscriptions are used.
- Decide on the visibility of products and APIs on the developer portal.
- Decide on access revocation policies.
- Decide on reporting requirements for access control.
Design recommendations
- Use built-in roles to delegate responsibilities across teams to manage the API Management instance.
- Use custom roles based on API Management RBAC operations to set fine-grained access to API Management entities. Examples: API developers, backup operators, DevOps automation, etc.
- Associate subscriptions at the appropriate scope, such as products.
- Create appropriate groups to control the visibility of the products.
- Manage access to the developer portal using Azure Active Directory B2C.
- Reporting:
- Make use of built-in analytics.
- Integrate API Management with Application Insights.
- Review diagnostic logs.
- Create custom reports.