Merge pull request #231210 from dlepow/wsown

[APIM] Update workspace roles

Author: Stacyrch140

articles/api-management/api-management-in-workspace.md

@@ -25,7 +25,7 @@ This article is an introduction to managing APIs, products, subscriptions, and o
 
 * An API Management instance. If needed, ask an administrator to [create one](get-started-create-service-instance.md).
 * A workspace. If needed, ask an administrator of your API Management instance to [create one](how-to-create-workspace.md).
-* Permissions to collaborate in the workspace. If needed, ask a workspace owner to assign you appropriate [roles](api-management-role-based-access-control.md#built-in-workspace-roles) in the workspace.
+* Permissions to collaborate in the workspace. If needed, ask an administrator of your API Management instance to assign you appropriate [roles](api-management-role-based-access-control.md#built-in-workspace-roles) in the service and the workspace.
 
 ## Go to the workspace - portal
 

articles/api-management/api-management-role-based-access-control.md

@@ -44,12 +44,11 @@ A workspace collaborator must be assigned both a workspace-scoped role and a ser
 
 |Role  |Scope  |Description  |
 |---------|---------|---------|
-|API Management Workspace Owner     |  workspace       | Can modify workspace details, manage members and their role assignments; has read and write access to all entities within the workspace. This role should be assigned on the workspace scope.          |
 |API Management Workspace Contributor     |  workspace       | Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope.        |
 |API Management Workspace Reader     | workspace        | Has read-only access to entities in the workspace. This role should be assigned on the workspace scope.         |
 |API Management Workspace API Developer      |   workspace      |   Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope.  |
 |API Management Workspace API Product Manager     |  workspace       |   Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope.  |
-| API Management Workspace API Developer    | service    |   Has read access to tags and products and write access to allow: <br/><br/> ▪️ Assigning  APIs to products<br/> ▪️ Assigning tags to products and APIs<br/><br/> This role should be assigned on the service scope. |
+| API Management Service Workspace API Developer    | service    |   Has read access to tags and products and write access to allow: <br/><br/> ▪️ Assigning  APIs to products<br/> ▪️ Assigning tags to products and APIs<br/><br/> This role should be assigned on the service scope. |
 |  API Management Service Workspace API Product Manager  | service    | Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope.      |
 
 

articles/api-management/how-to-create-workspace.md

@@ -39,37 +39,33 @@ The new workspace appears in the list on the **Workspaces** page. Select the wor
 
 ## Assign users to workspace - portal
 
-After creating a workspace, assign permissions to users to manage the workspace's resources. Each workspace user must be assigned a workspace-specific RBAC role at the service level and at the workspace level, or granted equivalent permissions using custom roles.
+After creating a workspace, assign permissions to users to manage the workspace's resources. Each workspace user must be assigned both a service-scoped workspace RBAC role and a workspace-scoped RBAC role, or granted equivalent permissions using custom roles. 
 
-At minimum, assign an *owner* of the workspace. Optionally, assign permissions to other workspace collaborators.
+> [!NOTE]
+> For easier management, set up Azure AD groups to assign workspace permissions to multiple users.
+> 
 
 * For a list of built-in workspace roles, see [How to use role-based access control in API Management](api-management-role-based-access-control.md).
 * For steps to assign a role, see [Assign Azure roles using the portal](../role-based-access-control/role-assignments-portal.md?tabs=current).
 
 
-### Assign a service-level role
+### Assign a service-scoped role
 
 1. Sign in to the [Azure portal](https://portal.azure.com), and navigate to your API Management instance.
 
 1. In the left menu, select **Access control (IAM)** > **+ Add**.
 
-1. Assign the owner the following role:
-    * **API Management Service Workspace API Product Manager**
+1. Assign one of the following service-scoped roles to each member of the workspace:
 
-1. Assign one of the following roles to other members of the workspace:
-    * **API Management Workspace API Developer**
+    * **API Management Service Workspace API Developer**
     * **API Management Service Workspace API Product Manager**
 
-### Assign a workspace-level role
+### Assign a workspace-scoped role
 
 1. In the menu for your API Management instance, select **Workspaces (preview)**  > the name of the workspace that you created.
 1. In the **Workspace** window, select **Access control (IAM)**> **+ Add**.
 
-1. Assign the owner the following role:
-
-    * **API Management Workspace Owner** 
-
-1. Optionally, assign one of the following workspace-level roles to other workspace members to manage workspace APIs and other resources. The owner of the workspace can also assign workspace-level roles.
+1. Assign one of the following workspace-scoped roles to the workspace members to manage workspace APIs and other resources. 
 
     * **API Management Workspace Reader**
     * **API Management Workspace Contributor**

articles/api-management/workspaces-overview.md

@@ -31,12 +31,10 @@ An organization that manages APIs using Azure API Management may have multiple d
 
 The following is a sample workflow for creating and using a workspace.
 
-1. A central API platform team that manages the API Management instance creates a workspace and assigns its owners and workspace members.
+1. A central API platform team that manages the API Management instance creates a workspace and assigns permissions to workspace collaborators using RBAC roles - for example, permissions to create or read resources in the workspace.
 
 1. A central API platform team uses DevOps tools to create a DevOps pipeline for APIs in that workspace. 
 
-1. Workspace owners assign permissions to workspace members using RBAC roles - for example, permissions to create or read resources in the workspace.
-
 1. Workspace members develop, publish, productize, and maintain APIs in the workspace. 
 
 1. The central API platform team manages the infrastructure of the service, such as network connectivity, monitoring, resiliency, and enforcement of all-APIs policies. 
@@ -83,7 +81,11 @@ The following resources can be managed in the workspaces preview.
 
 Azure RBAC is used to configure workspace collaborators' permissions to read and edit entities in the workspace. For a list of roles, see [How to use role-based access control in API Management](api-management-role-based-access-control.md).
 
-Workspace members must be assigned both a service-level role and a workspace-level role, or granted equivalent permissions using custom roles. The service-level role enables referencing service-level resources from workspace-level resources. For example, publish an API from a workspace with a service-level product, assign a service-level tag to an API, or organize a user into a workspace-level group to control API and product visibility.  
+Workspace members must be assigned both a service-scoped role and a workspace-scoped role, or granted equivalent permissions using custom roles. The service-scoped role enables referencing service-level resources from workspace-level resources. For example, publish an API from a workspace with a service-level product, assign a service-level tag to an API, or organize a user into a workspace-level group to control API and product visibility.  
+
+> [!NOTE]
+> For easier management, set up Azure AD groups to assign workspace permissions to multiple users.
+> 
 
 ## Workspaces and other API Management features