Merge pull request #228427 from MicrosoftDocs/release-preview-apim-workspaces

[APIM] Workspaces preview content

Author: huypub

articles/api-management/TOC.yml

@@ -72,6 +72,8 @@
         href: self-hosted-gateway-overview.md
       - name: High availability
         href: high-availability.md
+      - name: Workspaces
+        href: workspaces-overview.md
         displayName: reliability, resilience, resiliency  
       - name: Networking
         href: virtual-network-concepts.md
@@ -130,6 +132,10 @@
               href: api-management-howto-disaster-recovery-backup-restore.md
             - name: Use role-based access control
               href: api-management-role-based-access-control.md
+            - name: Create a workspace
+              href: how-to-create-workspace.md
+            - name: Use a workspace
+              href: api-management-in-workspace.md
             - name: Use managed identities for Azure resources
               href: api-management-howto-use-managed-service-identity.md
             - name: Send events to Event Grid

articles/api-management/api-management-howto-policies.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: article
-ms.date: 03/23/2022
+ms.date: 03/07/2023
 ms.author: danlep
 
 ---
@@ -83,7 +83,8 @@ Policy expressions provide a sophisticated means to control traffic and modify A
 API Management allows you to define policies at the following *scopes*, from most broad to most narrow:
 
 * Global (all APIs)
-* Product (APIs associated with a selected product)
+* Workspace (all APIs associated with a selected workspace)
+* Product (all APIs associated with a selected product)
 * API (all operations in an API)
 * Operation (single operation in an API) 
 

articles/api-management/api-management-in-workspace.md

@@ -0,0 +1,68 @@
+---
+title: Use a workspace in Azure API Management
+description: Members of a workspace in Azure API Management can collaborate to manage and productize their own APIs.
+author: dlepow
+ms.topic: how-to
+ms.service: api-management
+ms.author: danlep
+ms.date: 03/10/2023
+ms.custom: 
+---
+
+# Manage APIs and other resources in your API Management workspace
+
+This article is an introduction to managing APIs, products, subscriptions, and other API Management resources in a *workspace*. A workspace is a place where a development team can own, manage, update, and productize their own APIs, while a central API platform team manages the API Management infrastructure. Learn about the [workspace features](workspaces-overview.md)
+
+[!INCLUDE [api-management-availability-premium-dev-standard](../../includes/api-management-availability-premium-dev-standard.md)]
+
+> [!NOTE]
+> * Workspaces are a preview feature of API Management and subject to certain [limitations](workspaces-overview.md#preview-limitations).
+> * This feature is being released during March and April 2023.
+> * Workspaces are supported in API Management REST API version 2022-09-01-preview or later.
+> * For pricing considerations, see [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/).
+
+## Prerequisites
+
+* An API Management instance. If needed, ask an administrator to [create one](get-started-create-service-instance.md).
+* A workspace. If needed, ask an administrator of your API Management instance to [create one](how-to-create-workspace.md).
+* Permissions to collaborate in the workspace. If needed, ask a workspace owner to assign you appropriate [roles](api-management-role-based-access-control.md#built-in-workspace-roles) in the workspace.
+
+## Go to the workspace - portal
+
+1. Sign in to the [Azure portal](https://portal.azure.com), and navigate to your API Management instance.
+
+1. In the left menu, select **Workspaces** (preview), and select the name of your workspace.
+
+    :::image type="content" source="media/api-management-in-workspace/workspace-in-portal.png" alt-text="Screenshot of workspaces in API Management instance in the portal." lightbox="media/api-management-in-workspace/workspace-in-portal-expanded.png":::
+    
+1. The workspace appears. The available resources and settings appear in the menu on the left.
+
+    :::image type="content" source="media/api-management-in-workspace/workspace-menu.png" alt-text="Screenshot of API Management workspace menu in the portal." lightbox="media/api-management-in-workspace/workspace-menu-expanded.png":::
+
+
+## Get started with your workspace
+
+Depending on your role in the workspace, you might have permissions to create APIs, products, subscriptions, and other resources, or you might have read-only access to some or all of them.
+
+To get started managing, protecting, and publishing APIs in your workspaces, see the following guidance.
+
+
+
+|Resource  |Guide  |
+|---------|---------|
+|APIs     |   [Tutorial: Import and publish your first API](import-and-publish.md)      |
+|Products     |   [Tutorial: Create and publish a product](api-management-howto-add-products.md)      |
+|Subscriptions     | [Subscriptions in Azure API Management](api-management-subscriptions.md)<br/><br/>[Create subscriptions in API Management](api-management-howto-create-subscriptions.md)        |
+|Policies     |  [Tutorial: Transform and protect your API](transform-api.md)<br/><br/>[Policies in Azure API Management](api-management-howto-policies.md)<br/><br/>[Set or edit API Management policies](set-edit-policies.md)       |
+|Named values     | [Manage secrets using named values](api-management-howto-properties.md)        |
+|Policy fragments     |  [Reuse policy configurations in your API Management policy definitions](policy-fragments.md)       |
+| Schemas | [Validate content](validate-content-policy.md) |
+| Groups | [Create and use groups to manage developer accounts](api-management-howto-create-groups.md)
+| Notifications | [How to configure notifications and notification templates](api-management-howto-configure-notifications.md)
+
+
+
+## Next steps
+
+* Learn more about [workspaces](workspaces-overview.md)
+

articles/api-management/api-management-policy-expressions.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: article
-ms.date: 01/13/2023
+ms.date: 03/07/2023
 ms.author: danlep
 ---
 # API Management policy expressions
@@ -200,12 +200,12 @@ The `context` variable is implicitly available in every policy [expression](api-
 |Context Variable|Allowed methods, properties, and parameter values|
 |----------------------|-------------------------------------------------------|
 |`context`|[`Api`](#ref-context-api): [`IApi`](#ref-iapi)<br /><br /> [`Deployment`](#ref-context-deployment)<br /><br /> Elapsed: `TimeSpan` - time interval between the value of `Timestamp` and current time<br /><br /> [`LastError`](#ref-context-lasterror)<br /><br /> [`Operation`](#ref-context-operation)<br /><br /> [`Product`](#ref-context-product)<br /><br /> [`Request`](#ref-context-request)<br /><br /> `RequestId`: `Guid` - unique request identifier<br /><br /> [`Response`](#ref-context-response)<br /><br /> [`Subscription`](#ref-context-subscription)<br /><br /> `Timestamp`: `DateTime` - point in time when request was received<br /><br /> `Tracing`: `bool` - indicates if tracing is on or off <br /><br /> [User](#ref-context-user)<br /><br /> [`Variables`](#ref-context-variables): `IReadOnlyDictionary<string, object>`<br /><br /> `void Trace(message: string)`|
-|<a id="ref-context-api"></a>`context.Api`|`Id`: `string`<br /><br /> `IsCurrentRevision`: `bool`<br /><br />  `Name`: `string`<br /><br /> `Path`: `string`<br /><br /> `Revision`: `string`<br /><br /> `ServiceUrl`: [`IUrl`](#ref-iurl)<br /><br /> `Version`: `string` |
+|<a id="ref-context-api"></a>`context.Api`|`Id`: `string`<br /><br /> `IsCurrentRevision`: `bool`<br /><br />  `Name`: `string`<br /><br /> `Path`: `string`<br /><br /> `Revision`: `string`<br /><br /> `ServiceUrl`: [`IUrl`](#ref-iurl)<br /><br /> `Version`: `string` <br /><br /> `Workspace`: [`IWorkspace`](#ref-iworkspace) |
 |<a id="ref-context-deployment"></a>`context.Deployment`|[`Gateway`](#ref-context-gateway)<br /><br /> `GatewayId`: `string` (returns 'managed' for managed gateways)<br /><br /> `Region`: `string`<br /><br /> `ServiceId`: `string`<br /><br /> `ServiceName`: `string`<br /><br /> `Certificates`: `IReadOnlyDictionary<string, X509Certificate2>`|
 |<a id="ref-context-gateway"></a>`context.Deployment.Gateway`|`Id`: `string` (returns 'managed' for managed gateways)<br /><br /> `InstanceId`: `string` (returns 'managed' for managed gateways)<br /><br /> `IsManaged`: `bool`|
 |<a id="ref-context-lasterror"></a>`context.LastError`|`Source`: `string`<br /><br /> `Reason`: `string`<br /><br /> `Message`: `string`<br /><br /> `Scope`: `string`<br /><br /> `Section`: `string`<br /><br /> `Path`: `string`<br /><br /> `PolicyId`: `string`<br /><br /> For more information about `context.LastError`, see [Error handling](api-management-error-handling-policies.md).|
 |<a id="ref-context-operation"></a>`context.Operation`|`Id`: `string`<br /><br /> `Method`: `string`<br /><br /> `Name`: `string`<br /><br /> `UrlTemplate`: `string`|
-|<a id="ref-context-product"></a>`context.Product`|`Apis`: `IEnumerable<`[`IApi`](#ref-iapi)`>`<br /><br /> `ApprovalRequired`: `bool`<br /><br /> `Groups`: `IEnumerable<`[`IGroup`](#ref-igroup)`>`<br /><br /> `Id`: `string`<br /><br /> `Name`: `string`<br /><br /> `State`: `enum ProductState {NotPublished, Published}`<br /><br /> `SubscriptionLimit`: `int?`<br /><br /> `SubscriptionRequired`: `bool`|
+|<a id="ref-context-product"></a>`context.Product`|`Apis`: `IEnumerable<`[`IApi`](#ref-iapi)`>`<br /><br /> `ApprovalRequired`: `bool`<br /><br /> `Groups`: `IEnumerable<`[`IGroup`](#ref-igroup)`>`<br /><br /> `Id`: `string`<br /><br /> `Name`: `string`<br /><br /> `State`: `enum ProductState {NotPublished, Published}`<br /><br /> `SubscriptionLimit`: `int?`<br /><br /> `SubscriptionRequired`: `bool`<br /><br /> `Workspace`: [`IWorkspace`](#ref-iworkspace)|
 |<a id="ref-context-request"></a>`context.Request`|`Body`: [`IMessageBody`](#ref-imessagebody) or `null` if request doesn't have a body.<br /><br /> `Certificate`: `System.Security.Cryptography.X509Certificates.X509Certificate2`<br /><br /> [`Headers`](#ref-context-request-headers): `IReadOnlyDictionary<string, string[]>`<br /><br /> `IpAddress`: `string`<br /><br /> `MatchedParameters`: `IReadOnlyDictionary<string, string>`<br /><br /> `Method`: `string`<br /><br /> `OriginalUrl`: [`IUrl`](#ref-iurl)<br /><br /> `Url`: [`IUrl`](#ref-iurl)<br /><br /> `PrivateEndpointConnection`: [`IPrivateEndpointConnection`](#ref-iprivateendpointconnection) or `null` if request doesn't come from a private endpoint connection.|
 |<a id="ref-context-request-headers"></a>`string context.Request.Headers.GetValueOrDefault(headerName: string, defaultValue: string)`|`headerName`: `string`<br /><br /> `defaultValue`: `string`<br /><br /> Returns comma-separated request header values or `defaultValue` if the header isn't found.|
 |<a id="ref-context-response"></a>`context.Response`|`Body`: [`IMessageBody`](#ref-imessagebody)<br /><br /> [`Headers`](#ref-context-response-headers): `IReadOnlyDictionary<string, string[]>`<br /><br /> `StatusCode`: `int`<br /><br /> `StatusReason`: `string`|
@@ -217,9 +217,10 @@ The `context` variable is implicitly available in every policy [expression](api-
 |<a id="ref-imessagebody"></a>`IMessageBody`|`As<T>(bool preserveContent = false): Where T: string, byte[], JObject, JToken, JArray, XNode, XElement, XDocument` <br /><br /> - The `context.Request.Body.As<T>` and `context.Response.Body.As<T>` methods read a request or response message body in specified type `T`. <br/><br/> - Or - <br/><br/>`AsFormUrlEncodedContent(bool preserveContent = false)` <br/></br>- The `context.Request.Body.AsFormUrlEncodedContent()` and `context.Response.Body.AsFormUrlEncodedContent()` methods read URL-encoded form data in a request or response message body and return an `IDictionary<string, IList<string>` object. The decoded object supports `IDictionary` operations and the following expressions: `ToQueryString()`, `JsonConvert.SerializeObject()`, `ToFormUrlEncodedContent().` <br/><br/> By default, the `As<T>` and `AsFormUrlEncodedContent()` methods:<br /><ul><li>Use the original message body stream.</li><li>Render it unavailable after it returns.</li></ul> <br />To avoid that and have the method operate on a copy of the body stream, set the `preserveContent` parameter to `true`, as shown in examples for the [set-body](set-body-policy.md#examples) policy.|
 |<a id="ref-iprivateendpointconnection"></a>`IPrivateEndpointConnection`|`Name`: `string`<br /><br /> `GroupId`: `string`<br /><br /> `MemberName`: `string`<br /><br />For more information, see the [REST API](/rest/api/apimanagement/current-ga/private-endpoint-connection/list-private-link-resources).|
 |<a id="ref-iurl"></a>`IUrl`|`Host`: `string`<br /><br /> `Path`: `string`<br /><br /> `Port`: `int`<br /><br /> [`Query`](#ref-iurl-query): `IReadOnlyDictionary<string, string[]>`<br /><br /> `QueryString`: `string`<br /><br /> `Scheme`: `string`|
-|<a id="ref-iuseridentity"></a>`IUserIdentity`|`Id`: `string`<br /><br /> `Provider`: `string`|
 |<a id="ref-isubscriptionkeyparameternames"></a>`ISubscriptionKeyParameterNames`|`Header`: `string`<br /><br /> `Query`: `string`|
 |<a id="ref-iurl-query"></a>`string IUrl.Query.GetValueOrDefault(queryParameterName: string, defaultValue: string)`|`queryParameterName`: `string`<br /><br /> `defaultValue`: `string`<br /><br /> Returns comma-separated query parameter values or `defaultValue` if the parameter isn't found.|
+|<a id="ref-iuseridentity"></a>`IUserIdentity`|`Id`: `string`<br /><br /> `Provider`: `string`|
+|<a id="ref-iworkspace"></a>`IWorkspace`|`Id`: `string`<br /><br /> `Name`: `string`|
 |<a id="ref-context-variables"></a>`T context.Variables.GetValueOrDefault<T>(variableName: string, defaultValue: T)`|`variableName`: `string`<br /><br /> `defaultValue`: `T`<br /><br /> Returns variable value cast to type `T` or `defaultValue` if the variable isn't found.<br /><br /> This method throws an exception if the specified type doesn't match the actual type of the returned variable.|
 |`BasicAuthCredentials AsBasic(input: this string)`|`input`: `string`<br /><br /> If the input parameter contains a valid HTTP Basic Authentication authorization request header value, the method returns an object of type `BasicAuthCredentials`; otherwise the method returns null.|
 |`bool TryParseBasic(input: this string, result: out BasicAuthCredentials)`|`input`: `string`<br /><br /> `result`: `out BasicAuthCredentials`<br /><br /> If the input parameter contains a valid HTTP Basic Authentication authorization value in the request header, the method returns `true` and the result parameter contains a value of type `BasicAuthCredentials`; otherwise the method returns `false`.|

articles/api-management/api-management-role-based-access-control.md

@@ -4,26 +4,21 @@ description: Learn how to use the built-in roles and create custom roles in Azur
 services: api-management
 documentationcenter: ''
 author: dlepow
-manager: erikre
-editor: ''
 
-ms.assetid: 364cd53e-88fb-4301-a093-f132fa1f88f5
 ms.service: api-management
-ms.workload: mobile
-ms.tgt_pltfrm: na
 ms.topic: article
-ms.date: 05/18/2021
+ms.date: 02/15/2023
 ms.author: danlep 
 ms.custom: devx-track-azurepowershell
 
 ---
-# How to use Role-Based Access Control in Azure API Management
+# How to use role-based access control in Azure API Management
 
 Azure API Management relies on Azure role-based access control (Azure RBAC) to enable fine-grained access management for API Management services and entities (for example, APIs and policies). This article gives you an overview of the built-in and custom roles in API Management. For more information on access management in the Azure portal, see [Get started with access management in the Azure portal](../role-based-access-control/overview.md).
 
 [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
 
-## Built-in roles
+## Built-in service roles
 
 API Management currently provides three built-in roles and will add two more roles in the near future. These roles can be assigned at different scopes, including subscription, resource group, and individual API Management instance. For instance, if you assign the "API Management Service Reader" role to a user at the resource-group level, then the user has read access to all API Management instances inside the resource group. 
 
@@ -39,6 +34,25 @@ The following table provides brief descriptions of the built-in roles. You can a
 
 <sup>[2] Write access to API Management services and entities except the following operations: instance creation, deletion, and scaling; VPN configuration; and custom domain setup.</sup>
 
+
+## Built-in workspace roles
+
+API Management provides the following built-in roles for collaborators in [workspaces](workspaces-overview.md) in an API Management instance. 
+
+A workspace collaborator must be assigned both a workspace-scoped role and a service-scoped role.
+
+
+|Role  |Scope  |Description  |
+|---------|---------|---------|
+|API Management Workspace Owner     |  workspace       | Can modify workspace details, manage members and their role assignments; has read and write access to all entities within the workspace. This role should be assigned on the workspace scope.          |
+|API Management Workspace Contributor     |  workspace       | Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope.        |
+|API Management Workspace Reader     | workspace        | Has read-only access to entities in the workspace. This role should be assigned on the workspace scope.         |
+|API Management Workspace API Developer      |   workspace      |   Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope.  |
+|API Management Workspace API Product Manager     |  workspace       |   Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope.  |
+| API Management Workspace API Developer    | service    |   Has read access to tags and products and write access to allow: <br/><br/> ▪️ Assigning  APIs to products<br/> ▪️ Assigning tags to products and APIs<br/><br/> This role should be assigned on the service scope. |
+|  API Management Service Workspace API Product Manager  | service    | Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope.      |
+
+ 
 ## Custom roles
 
 If none of the built-in roles meet your specific needs, custom roles can be created to provide more granular access management for API Management entities. For example, you can create a custom role that has read-only access to an API Management service, but only has write access to one specific API. To learn more about custom roles, see [Custom roles in Azure RBAC](../role-based-access-control/custom-roles.md). 
@@ -65,7 +79,7 @@ The [Azure Resource Manager resource provider operations](../role-based-access-c
 
 ## Next steps
 
-To learn more about Role-Based Access Control in Azure, see the following articles:
+To learn more about role-based access control in Azure, see the following articles:
   * [Get started with access management in the Azure portal](../role-based-access-control/overview.md)
   * [Assign Azure roles to manage access to your Azure subscription resources](../role-based-access-control/role-assignments-portal.md)
   * [Custom roles in Azure RBAC](../role-based-access-control/custom-roles.md)