Manage Portal User Groups - Anypoint Platform APIs

Overview

User groups are the authorization primitive inside an API Experience Hub (AEH) portal. They control which members can see which APIs/minor versions, and they can be mapped to groups coming from a federated identity provider (IdP) so membership is synchronized automatically at login. This workflow covers the full user-group lifecycle and their IdP mappings.

What you'll build: A clean, well-scoped set of user groups (and IdP mappings) that AEH can use for asset visibility and member permissioning.

Prerequisites

Before starting, ensure:

Authentication ready
- Valid Bearer token for Anypoint Platform
- AEH Administrator or AEH Portal Administrator permissions
Environment already bootstrapped
- Connection and portal already created
- Optional: an IdP configured on the portal (needed only for group mappings)

Step 1: List AEH Connections

api-experience-hub-management.getConnections

$ curl -X GET ${baseUrl}/api/v1/connections \
  -H "Authorization: Bearer ${authToken}" \
  -H "Content-Type: application/json"

Captured Variables

connectionId $[*].id

AEH connection ID backing the portal

Step 2: List Portals on the Connection

api-experience-hub-management.getAllApiPortalByConnectionId

$ curl -X GET ${baseUrl}/api/v1/connections/{connectionId}/apiPortals \
  -H "Authorization: Bearer ${authToken}" \
  -H "Content-Type: application/json"

Captured Variables

portalId $[*].id

ID of the portal whose user groups you'll manage

Step 3: List User Groups (Profiles)

Retrieve the existing user groups on the portal so the admin can decide whether to create, update, or delete them.

api-experience-hub-management.getAllProfilesByPortal

$ curl -X GET ${baseUrl}/api/v1/connections/{connectionId}/apiPortals/{portalId}/userGroups \
  -H "Authorization: Bearer ${authToken}" \
  -H "Content-Type: application/json"

Captured Variables

userGroups $.profiles[*]

Existing user groups (profiles) on the portal

userGroupId $.profiles[*].id

ID of a specific user group, used by update/delete

What happens next: Present the list and let the admin pick the next action (create/update/delete or manage mappings).

Step 4: Create a New User Group

api-experience-hub-management.createUserGroup

$ curl -X POST ${baseUrl}/api/v1/connections/{connectionId}/apiPortals/{portalId}/userGroups \
  -H "Authorization: Bearer ${authToken}" \
  -H "Content-Type: application/json"

Captured Variables

createdUserGroupId $.id

The newly created user group ID

What happens next: The new group is available for asset visibility rules and member assignments.

Step 5: Update an Existing User Group

Rename or change the description of a group. The group membership itself is updated via manage-portal-members-and-prospects.

api-experience-hub-management.updateUserGroup

$ curl -X PATCH ${baseUrl}/api/v1/connections/{connectionId}/apiPortals/{portalId}/userGroups/{userGroupId} \
  -H "Authorization: Bearer ${authToken}" \
  -H "Content-Type: application/json"

Captured Variables

updatedUserGroupId $.id

Confirmed ID of the updated user group

Step 6: Delete a User Group (Optional)

Remove a user group that is no longer needed. Verify no members or visibility rules depend on it first.

api-experience-hub-management.deleteUserGroup

$ curl -X DELETE ${baseUrl}/api/v1/connections/{connectionId}/apiPortals/{portalId}/userGroups/{userGroupId} \
  -H "Authorization: Bearer ${authToken}" \
  -H "Content-Type: application/json"

Captured Variables

deletedUserGroupId $.id

Confirmation of the deleted user group

What happens next: The group is gone; any visibility rules or member assignments that referenced it need to be revisited.

Step 7: List Group Mappings

Group mappings link a federated IdP group (SAML / OIDC) to an AEH user group so membership syncs at login.

api-experience-hub-management.getGroupMappings

$ curl -X GET ${baseUrl}/api/v1/connections/{connectionId}/apiPortals/{portalId}/userGroups/{userGroupId}/groupMappings \
  -H "Authorization: Bearer ${authToken}" \
  -H "Content-Type: application/json"

Captured Variables

groupMappings $.mappings[*]

Existing IdP-to-AEH group mappings

groupMappingId $.mappings[*].id

ID used to delete a mapping

Step 8: Create a Group Mapping

Link an IdP group to an AEH user group.

api-experience-hub-management.addAdditionalGroupMapping

$ curl -X POST ${baseUrl}/api/v1/connections/{connectionId}/apiPortals/{portalId}/userGroups/{userGroupId}/groupMappings \
  -H "Authorization: Bearer ${authToken}" \
  -H "Content-Type: application/json"

Captured Variables

createdGroupMappingId $.id

The newly created mapping ID

What happens next: Users who log in via the IdP and belong to the mapped IdP group are automatically placed into the AEH user group.

Step 9: Delete a Group Mapping (Optional)

Remove a stale mapping — e.g., when the IdP group has been renamed or retired.

api-experience-hub-management.deleteGroupMappings

$ curl -X DELETE ${baseUrl}/api/v1/connections/{connectionId}/apiPortals/{portalId}/userGroups/{userGroupId}/groupMappings/{idpId}/{groupMappingName} \
  -H "Authorization: Bearer ${authToken}" \
  -H "Content-Type: application/json"

Captured Variables

deletedGroupMappingId $.id

Confirmation of the removed mapping

Name	Value	Source
No variables yet

Completion Checklist

[ ] Connection and portal selected
[ ] Existing user groups inventoried
[ ] New user groups created as required
[ ] Outdated user groups renamed or deleted
[ ] IdP group mappings reviewed and updated

What You've Built

✅ Governed User-Group Model — A set of well-named user groups and IdP mappings that cleanly drive asset visibility and member permissioning.

Next Steps

Restrict asset visibility — See curate-portal-assets Step 6 to hide or expose specific minor versions per user group.
Assign members — See manage-portal-members-and-prospects to place portal members into the correct groups.