API Scopes are combined with the Admin Groups to create a granular permission system within the API Umbrella admin. This might be useful if you have multiple organizations or departments that should only have access to certain parts of the API Umbrella admin.
An API Scope defines a hostname and a path prefix. This determines the API backends and analytics that an admin is allowed to view. For example, an admin may be authorized to interact with
example.com/foo/* apis, but not
Next, you setup a (permissions) group, which defines the specific permissions admins can perform within API scopes. For example, you may want some admins to only be able to view analytics, while others should be able to also setup API backends.
As a quick example, say you set up an API Scope with a host of
example.com and a path prefix of
/foo. You then create a group that uses that scope and grants the
API Backend Configuration - View & Manage permissions. Then, you assign that group to a specific admin account.
Now, any admin that belongs to that group can log in and view analytics, but only for requests beginning with
example.com/foo/*. They would not be able to view analytics for
example.com/bar/*. Similarly, because they were granted the API Backend permission, that user could edit or create new API backends, but only as long as the API backend they’re interacting with starts with
example.com/foo/* for it’s public URL. However, while this specific admin group could add and edit API backends, they couldn’t actually publish the backend changes and make them live, since they were not granted the
API Backend Configuration - Publish permission.