PingOne Platform API Reference - Early Access

The PingOne early access APIs are available to you when you enable the early access features. When enabled, the features apply only to a specified environment. You select the features to enable, and can remove the feature from the specified environment at any time during the early access period.

Early Access

These early access features are available for preview purposes only, and are not covered under standard Support SLAs. You can open support cases for feedback, bug reports, configuration questions, or other inquiries related to early access features, but resolution times for these cases will vary. These cases often require collaboration with our Engineering and Product teams, so timelines might exceed the usual SLAs for your Support package.

We encourage you to use any of the early access features you find applicable. You'll need to enable each feature you'd like to use. See Early Access Features for instructions.

Configuration Management

The Configuration Management service gives you a secure and flexible approach to automating (promoting) configurations across multiple environments, enabling the seamless creation, updating, and deletion of resources while supporting dynamic configurations through variable management. Resource dependencies are maintained, ensuring smooth cross-environment transitions and promotions. Auditing and reporting enhance oversight and compliance.

To use the Configuration Management service you need to have the Environment Admin role for at least two environments. The general workflow is:

  • Select configurations that you want to promote from one environment to another (generally, through development, testing, and production stages).
  • If desired, use promotion variables to dynamically substitute different property values for a configuration resource included in a promotion operation.
  • Execute the promotion plan returned by the Read One Promotion or Read All Promotions to move the configuration from the source environment to the target environment.

The Configuration Management service is comprised of these sub-services:

Resources requiring special handling

Certificates

Certificates are not a promotable resource in PingOne, however special handling of them is required for resources that reference them. Certificate references can be promoted in using either default certificates or through the use of promotion variables:

  • Default certificates

    When a configuration resource is using the default certificate as its signing key (a SAML application, for example), the application can be promoted, and will reference the default signing key existing in the target environment. Certificate rotation for the signing key can be done by setting a new default certificate in the target environment, and then promoting the configuration resource or resources using the default signing key in the source environment.

  • Certificates as promotion variables

    You can handle all certificate references other than default certificates using promotion variables. You'll need to create a promotion variable with the certificate ID in each environment. When the resource or resources referencing the certificate are promoted, the promotion operation will use the variable value to substitute the correct certificate in the target environment or environments. If there are other configuration resources that use the certificate, they will also use the correct certificate when any of these configuration resources are promoted to the same target environment or environments.

Attributes

You can promote individual attributes in the schema. However if you're promoting an application that references a custom attribute, the promotion plan will include all attributes in the schema. In this case, you can then exclude the unnecessary attributes by editing the promotion plan prior to starting the promotion operation.

If you want to use Postman

You can download or fork the Postman collection for the early access Configuration Management APIs, and test them in your Postman environment. If you don't already have a Postman installation, you can install the free version. See Download Postman.

Import or fork the Postman collection PingOne Configuration Management APIs - Early Access into your Postman installation by clicking the Run in Postman button below:

Run In Postman

Refer to Postman and the PingOne APIs for more information.

Snapshots

A snapshot is a point in time representation of any configuration resource in PingOne. A snapshot is triggered when the request POST {{apiPath}}/environments/{{envID}}/snapshots is called. The configuration resource, and optionally all of its dependencies, are then stored by the Snapshot service. The snapshots are stored and indexed using the original identifier (ID) of the configuration resource. For example, an applications snapshot will be stored using the ID of the application. Subsequent calls to the request POST {{apiPath}}/environments/{{envID}}/snapshots for the same configuration resource generates a new version of the configuration resource each time the request is called. You can retrieve the version history of any configuration resource using the original identifier of the resource. You'll use the snapshot created for a configuration resource to promote (apply) the configuration resource from the source environment to another environment.

Snapshots data model

Property Type Required? Mutable? Description
baseResourceURL String Required Mutable The URL of the resource to use. The form is: "https://api.pingone.com/v1/environments/{{envId}}/{{resourceName}}/{{resourceId}}", where "resourceName" is the name of the configuration resource to snapshot.
createdAt Date N/A Read-only The date and time at which the resource was created (ISO 8601 format).
completedAt Date N/A Read-only The date and time at which the snapshot creation was completed (ISO 8601 format).
configuration Object N/A Read-only The JSON representation of the configuration resource. If the configuration resource has been deleted, this will be empty (null).
error String N/A Read-only If an error occurs while creating the snapshot, it's returned here.
id String Required Immutable The identifier of the configuration resource.
resourceId String Optional Mutable The identifier of the configuration resource.
resourceUrl String Optional Mutable The URL of the configuration resource.
referencedResources String[] Optional Mutable The list of identifiers for any dependent or referenced configuration resources. The dependent or referenced resources can be only one level down in the possible tree of such resources.
snapshotId String N/A Read-only The identifier of the snapshot.
startedAt Date N/A Read-only The date and time at which the snapshot creation was started (ISO 8601 format).
status String N/A Read-only The status of the snapshot creation process. This can be any one of: COMPLETE, WAITING, IN_PROGRESS, ERROR.
updatedAt Date N/A Read-only The date and time at which the resource was last updated (ISO 8601 format).
versionedAt Date N/A Read-only The date and time of the updatedAt property on the original resource. For deleted events, this will be the date and time the event was published.

Create Snapshot

Read Latest Snapshot

Read One Snapshot Version

Read All Snapshot Versions

Promotions

A promotion includes, at a minimum, source and target environment references, automatically generated source and target snapshots, the resource or resources to promote to the target environment, and a promotion plan for the promotion operation. You need to have the Environment Admin role for both the source and target environments. You can optionally include a specific source environment snapshot to use, as well as a mapping of the source environment configuration resource or resources to the target environment configuration resource or resources.

A PingOne admin having Environment Admin permissions can review the promotion plan, and update the promotion mapping and variable definitions or declarations as needed. The promotion plan is then regenerated based on the updates. Use the Read One Promotion or Read All Promotions to view the promotion plan.

If you do not set any promotion variables, the configuration resource or resources that you specify for the source or target environment will be used as is, and cannot be changed during the promotion operation. See Promotion Variables for more information.

When you choose to start the promotion operation, the promotion plan supplies the promotion operation instructions to the Promotions service. The Promotions service then:

  • Filters out any configuration resources that haven't changed, and calls the required target environment API using the new or altered resources.
  • Sets the promotion's started_at and status values.
  • Collects any errors into a JSON array, and returns the errors.
  • Updates the promotion's completedAt and status values when the promotion operation is complete.

Promotions data model

Property Type Required? Mutable? Description
createdAt Date N/A Read-only The date and time the promotion was created.
completedAt Date N/A Read-only The date and time the promotion operation completed.
description String Optional Mutable A description of the promotion to be performed.
errors Object[] N/A Read-only An array of JSON objects correlating the configuration resource identifier in the source environment to the error messages from the target environment.
excludedResources Object[]* Optional Mutable An array of JSON objects. *Optionally, this can be an array of strings. Contains the resource identifiers, and resource URLs for the configuration resources to be excluded from promotion.
resourceMapping Map Optional Mutable A mapping of the configuration resource identifiers in the source environment to the configuration resource identifiers in the target environment.
promotionPlan Object[] N/A Read-only An array of JSON objects containing the promotion plan generated. The promotion plan is generated by the POST operation, but is returned only by either of the GET operations. For a DELETE operation, the payload property in the response will be empty.
promotionPlan.steps Object[] N/A Read-only An array of JSON objects identifying the resource or resources, the configuration of the resource or resources, and the target environment or environments.
promotionPlan.totalDistance Integer N/A Read-only (Internal use only.) A comparison metric the Configuration Management service uses to determine whether there is a comparable resource in the target environment to replace.
selectedResources Object[]* Optional Mutable An array of JSON objects. *Optionally, this can be an array of strings. Contains the resource identifiers, and resource URLs for the configuration resources selected for promotion. If this is omitted, the entire current environment is used (the environment ID is injected.)
sourceEnvironment String Optional Immutable A JSON object containing the ID of the source environment. If not specified, the current source environment for the actor is used.
sourceSnapshotId String Optional Mutable The identifier of the snapshot to use as the promotion source.
startedAt Date N/A Read-only The date and time the promotion operation started.
status String N/A Read-only An enumeration indicating the status of the promotion. This can be: NEW, PREPARING, READY, IN_PROGRESS, COMPLETED, VALIDATION_FAILED, or ERROR.
targetEnvironment Object Required Immutable A JSON object containing the identifier of the target environment.
targetSnapshotId String Optional Mutable The identifier of the snapshot to use as the promotion target.

Excluded Resources

Currently, not all resources, services, or products can be used in a promotion operation.

Excluded products or services
  • PingOne DaVinci (except for Forms)
  • PingOne Authorize
Excluded resources

Some resources can never be promoted, while others will be supported for promotion, but currently are not.

Permanently excluded resources

These resources are expected to never be supported for promotion:

  • Active Identity Counts
  • Activities
  • Adaptive Trust Policies
  • Applications Role Assignments
  • Application Signons
  • Application Signons Statistics
  • Certificates
  • Connectors
  • Dashboards
  • Data Exploration Batches
  • Data Explorations
  • Data Exploration Templates
  • Licenses
  • Licenses Expires At
  • Licenses Metrics Active Identity Counts
  • Licenses Name
  • PingOne for Enterprise Orchestrations
  • PingOne for Enterprise Callback
Currently excluded resources

These resources will be supported for promotion, but are not currently:

  • Admin Config
  • API Servers
  • Application Entitlements
  • Application Permissions
  • Application Resources
  • Application Roles
  • Applications Secret
  • Authorization Attributes
  • Authorization Changes
  • Authorization Conditions
  • Authorization Connector Templates
  • Authorization Policies
  • Authorization Processors
  • Authorization Rules
  • Authorization Services
  • Authorization Statements
  • Branding Settings
  • Connector Instances
  • Credential Counts
  • Credential Issuer Profile
  • Credential Types
  • Custom Domains
  • Davinci Applications
  • Decision Endpoints
  • Delegated Admins
  • Device Authentications
  • Digital Wallet Applications
  • External Services
  • Fido Devices Metadata
  • Flow Definitions
  • Flow Metadata
  • Flow Policies
  • Flows
  • Fraud Evaluations
  • Fraud Events Details
  • Fraud Feedbacks
  • Fraud Sessions
  • Identity Cloud
  • Identity Cloud Orchestrations
  • Images
  • Integrations
  • Languages
  • Legacy
  • Locales
  • Metrics
  • Migrate
  • Notification Callback
  • Notification Callback AWS email
  • Notification Callback Syniverse
  • Notification Callback Twilio
  • Notification Callback Whatsapp
  • Notifications
  • Notifications Quota
  • OAuth Jobs
  • OAuth Tokens
  • Organization Quota
  • Password Storage Scheme Config
  • Pingid
  • Pingid Mobile App Versions
  • Pingid Mobile Display Names
  • Pingid Mobile Os Versions
  • Portal
  • Presentation Sessions
  • Promotions
  • Promotion Variable Declarations
  • Propagation
  • Propagation Mappings
  • Propagation Plans
  • Propagation Provisioning Syncs
  • Propagation Revisions ID
  • Propagation Revisions ID Latest
  • Propagation Rules
  • Propagation Store Metadata
  • Propagation Stores
  • QS Dashboards
  • Rate Limit IP Configs
  • Recaptcha V2 Config
  • Resources Secret
  • Risk Evaluations
  • Risk Feedback
  • Roles
  • Seen Devices
  • Sessions
  • Snapshots
  • Software Licenses
  • Solutions
  • Subscriptions
  • Tiles
  • Total Identities
  • Translations
  • Users
  • Variables
  • Voice Phrases

Create Promotion

Start Promotion

Read All Promotions

Read One Promotion

Read Promotion Status

Update Promotion

Delete Promotion

Promotion Variables

Use promotion variables to to account for environment-specific differences, such as 3rd party integrations or URLs. You can specify configuration resource property values for either the source or target environment to be substituted for existing property values by the promotion operation. Only the promotion variables you set can change property values for use by the promotion operation. If you do not set any promotion variables, the configuration resource or resources that you specify for the source or target environment will be used as is, and cannot be changed during the promotion operation.

To use promotion variables, you need to:

  1. Specify the configuration resource to be promoted in a snapshot.
  2. Define the variable or variables to be used for a source or target environment configuration resource property. See Variable Definitions.
  3. Declare the variables to be used by the promotion operation. See Variable Declarations.

A few things to be aware of:

  • The variables are scoped only to the specified configuration resources, and are not applied to any dependent resources.
  • Variables are not versioned with a snapshot, so for each promotion operation, you need to ensure the variable settings for a configuration resource are correct.
  • Any configuration resources that you change directly without updating the variables will be overwritten by a subsequent promotion operation. This is because the promotion operation will use the existing variable set.

Variable Resources

Not all configuration resources or properties can be used as promotion variables. Here's the listing of configuration resources, and the associated properties that are supported as promotion variables:

Resource Properties
Applications acsUrls
audienceRestriction
corsSettings
defaultTargetUrl
deviceCustomVerificationUri
devicePathId
domainName
homePageUrl
idpSigning.algorithm
idpSigning.key.id
initiateLoginUri
jwks
jwksUrl
kerberos.key.id
mobile.bundleId
mobile.huaweiAppId
mobile.huaweiPackageName
mobile.integrityDetection.googlePlay.serviceAccountCredentials
mobile.packageName
mobile.uriPrefix
postLogoutRedirectUris
redirectUris
replyUrl
sloEndpoint
sloResponseEndpoint
spEncryption.certificate.id
spEntityId
spVerification.cert.id
subjectNameIdentifierFormat
targetLinkUri
Authentication relyingPartyId
Branding companyName
logo.href
Custom Domain domainName
Email Domains domainName
Gateways bindDN
bindPassword
kerberos.serviceAccountPassword
kerberos.serviceAccountUserPrincipalName
radiusClients.ip
Identity Providers appId
appSecret
authorizationEndpoint
clientEnvironment
clientId
clientSecret
clientSecretSigningKey
discoveryEndpoint
idpEntityId
issuer
jwksEndpoint
keyId
sloEndpoint
spSigning.key.id
ssoEndpoint
teamId
tenantId
tokenEndpoint
userInfoEndpoint
Notification Templates body
content
replyTo.address
replyTo.name
Notifications Phone Delivery Settings authToken
authentication.username
sid
Notifications key
type
Provisioning configuration.Administrator_Password
configuration.Administrator_Username
configuration.BASE_URL
configuration.BASIC_AUTH_PASSWORD
configuration.BASIC_AUTH_USER
configuration.CLIENT_ID
configuration.CLIENT_SECRET
configuration.ClientId
configuration.ClientSecret
configuration.GROUPS_RESOURCE
configuration.OAUTH_ACCESS_TOKEN
configuration.OAUTH_CLIENT_ID
configuration.OAUTH_CLIENT_SECRET
configuration.OAUTH_REFRESH_TOKEN
configuration.SALESFORCE_DOMAIN
configuration.SCIM_URL
configuration.ServiceNow_Url
configuration.TenantDomain
configuration.USERS_RESOURCE
configuration.password
configuration.tenantId
configuration.username
Trusted Email Addresses emailAddress

Variable Resources

Variable Definitions

When promoting a configuration, you need to define any variables you intend to use to substitute for existing property values. Once defined, you'll need to then declare a variable. See Variable Declarations for details.

Variable definitions data model

Property Type Required? Mutable? Description
createdAt Date N/A Read-only The date and time at which the resource was created (ISO 8601 format).
name String Required Mutable The name to use for the variable. This name must be unique in the environment.
updatedAt Date N/A Read-only The date and time at which the resource was last updated (ISO 8601 format).
value Object Required Mutable A JSON object containing the value to assign to the variable. Currently, the object type can be: String, List, or Integer.

Create Variable Definition

Read All Variable Definitions

Read One Variable Definition

Update Variable Definition

Delete Variable Definition

Variable Declarations

Before you can declare a variable (POST {{apiPath}}/environments/{{envID}}/promotionVariableDeclarations), you need to define the variable that you intend to use. See Variable Definitions for details.

Variable declarations data model

Property Type Required? Mutable? Description
createdAt Date N/A Read-only The date and time at which the resource was created (ISO 8601 format).
resourceId String Required Mutable The UUID of the configuration resource.
updatedAt Date N/A Read-only The date and time at which the resource was last updated (ISO 8601 format).
variables Map Required Mutable A mapping of configuration resource properties to the name values of defined variables. For example, for an applications resource, you might map the refreshTokenDuration property to a variable definition having a name value of refreshTokenDurationVar.

Create Variable Declaration

Read Variable Declarations

Update Variable Declaration

Update Variable Declaration

Delete Variable Declaration

Promotion Configuration

The promotionConfiguration endpoint sets and reads default target environment to be used for promotions. When you know that you'll be working with a specific target environment, you can set this environment as the default for the promotions you're doing.

Read Promotion Configuration

Update Promotion Configuration

PingOne Authorize Admin APIs

PingOne Authorize provides customers with a fine-grained, attribute-based, dynamic authorization decisioning capability. PingOne Authorize moves per-transaction authorization logic from customer applications to PingOne, enabling centralized control of authorization policy and reuse of policy across applications and contexts.

The PingOne Authorize Admin API endpoints in this section include:

For PingOne Authorize introductory information, see Introduction to PingOne Authorize in the PingOne Authorize administrators guide.

If you want to use Postman

You can download or fork the Postman collection for the early access PingOne Authorize Editor Policy Management APIs, and test them in your Postman environment. If you don't already have a Postman installation, you can install the free version. See Download Postman.

Import or fork the Postman collections for PingOne Authorize Admin APIs - Early Access into your Postman installation by clicking the Run in Postman button below:

Run In Postman

Refer to Postman and the PingOne APIs for more information.

PingOne Authorize Trust Framework

The PingOne Authorize trust framework service provides endpoints to define the entities and configurations to target policies and rules when making dynamic authorization requests.

The trust framework is based on attributes. These attributes have resolvers which bring contextual data values into the attribute. Resolvers can be conditional using an embedded condition or they can be a reference to a condition entity.

A service resolver references a service that can call out to a third-party HTTP service or the PingOne Protect service. Attributes can transform the value received from resolvers using embedded processors or referenced processors.

To create and manage the attributes, services, conditions, and processors, required by the PingOne Authorize trust framework, see:

Authorization Attributes

Authorization attributes provide contextual information that informs fine-grained dynamic authorization decisions. Attributes have the following characteristics:

  • An attribute has zero or more resolvers that bring the contextual data into the attribute value. The list of ordered resolvers are evaluated sequentially until a successful value is returned.

  • An attribute has zero or more processors that transform the data coming from the resolvers.

  • An attribute has a valueType property value that specifies the final output type of the attribute.

Authorization attributes data model
Property Type? Required? Mutable? Description
defaultValue String Optional Mutable The value to use if no resolvers are defined or if an error occurred with the resolvers or processors.
description String Optional Mutable The attribute resource's description.
fullName String Required Mutable A unique name generated by the system for each attribute resource. It is the concatenation of names in the attribute resource hierarchy.
id String N/A Read only The resource's unique identifier.
managedEntity Object Optional Read only A system-assigned set of restrictions and metadata related to the resource.
name String Required Mutable A user-friendly attribute name.
parent Object Optional Mutable The attribute resource's parent.
parent.id String Optional Mutable The attribute resource's parent ID.
processor Object Optional Mutable The attribute resource's processor.
processor.type String Optional Mutable The attribute resource's processor type. Options are JSON_PATH, SPEL, XPATH, COLLECTION_FILTER, COLLECTION_TRANSFORM, CHAIN, and REFERENCE. See Authorization processors processor type data model for additional properties for each processor type.
processor.name String Optional Mutable A user-friendly authorization processor name. The name value must be unique.
repetitionSource Object Optional Mutable A setting to designate the attribute as multi-valued and repeatable.
resolvers Array Optional Mutable The attribute resource's resolvers.
resolvers.type String Optional Mutable The attribute resource's resolver type. Options are REQUEST, CONSTANT, ATTRIBUTE, SERVICE, SYSTEM, CONFIGURATION, CURRENT_REPETITION_VALUE, CURRENT_USER_ID, and USER.
type String Required Read only The attribute type. Options are ATTRIBUTE.
valueType Object Required Mutable The value type object for the attribute.
valueType.type String Required Mutable The output type for the attribute. Options are BOOLEAN, STRING, NUMBER, XML, JSON, COLLECTION, DATE_TIME, LOCAL_TIME, LOCAL_DATE, LOCAL_DATE_TIME, ZONED_DATE_TIME, TIME_PERIOD, PERIOD, and DURATION.
version String Required Read only A random ID generated by the system for concurrency control purposes.
Authorization attributes resolvers type data model
Resolver type Description
REQUEST The value comes from the decision request.
ATTRIBUTE The value comes from another attribute. Additional properties are:
  • value, the value object.
  • value.id, the ID of the referring attribute.
CONSTANT The value provided is a constant. Additional properties are:
  • value, the constant value.
  • valueType, the output type of the constant. Options are BOOLEAN, STRING, NUMBER, XML, JSON, COLLECTION, DATE_TIME, LOCAL_TIME, LOCAL_DATE, LOCAL_DATE_TIME.
SERVICE The value comes from a service. Additional properties are:
  • value, the value object.
  • value.id, the ID of the referring service.
SYSTEM The value is provided by the system. Additional properties are:
  • value, a value that is set to either NULL or CURRENT_DATE_TIME.
CURRENT_REPETITION_VALUE The value of the repetition if the attribute belongs to a repetition scope.
CURRENT_USER_ID The value comes from the userContext property in the decision request.
USER The value is a PingOne user. Additional properties are:
  • query, a UserQuery object that provides a PingOne userId string.
Event types

The audit reporting events applicable to the authorize attribute service are:

Topic Event
authorize-model AUTHORIZE_ATTRIBUTE.CREATED
authorize-model AUTHORIZE_ATTRIBUTE.UPDATED
authorize-model AUTHORIZE_ATTRIBUTE.DELETED
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create Authorization Attribute

Test Authorization Attribute

Read Authorization Attributes

Read One Authorization Attribute

Update Authorization Attribute

Delete Authorization Attribute

Authorization Services

Authorization services, also referred to as Policy Information Points or PIPs, represent third-party HTTP services or internal PingOne platform services (such as PingOne Protect) that may be called to retrieve data.

These endpoints provide operations to create, read, update, test, and delete authorization services.

Authorization services data model
Property Type? Required? Mutable? Description
cacheSettings Object Optional Mutable The service's cache settings.
cacheSettings.ttlSeconds integer Optional Mutable The service's time to live in seconds.
description String Optional Mutable The authorization service resource's description.
fullName String Required Mutable A unique name generated by the system for each service resource. It is the concatenation of names in the service resource hierarchy.
id String N/A Read only The resource's unique identifier.
name String Required Mutable A user-friendly service name.
parent Object Optional Mutable The service resource's parent.
parent.id String Optional Mutable The service resource's parent ID.
serviceType String Required Mutable The type of service. Options are NONE, HTTP, CONNECTOR. See the "serviceType property data model tables" section for information about the properties associated with each service type.
type String Required Read only The resource type. Options are SERVICE.
version String Required Read only A random ID generated by the system for concurrency control purposes.

The serviceType property supports the following three options: NONE, HTTP, and CONNECTOR. The NONE option does not require additional configuration. The HTTP and CONNECTOR service types require additional configuration property values in the request. The following tables describe the data models for these options.

HTTP serviceType data model properties
Property Type? Required? Mutable? Description
processor Object Optional Mutable The processor to transform the value returned from the resolver. Processor types are JSON_PATH, SPEL, XPATH, COLLECTION_FILTER, COLLECTION_TRANSFORM, CHAIN, and REFERENCE.
valueType Object Required Mutable The final output type of the service. Value types are BOOLEAN, STRING, NUMBER, XML, JSON, COLLECTION, DATE_TIME, LOCAL_TIME, LOCAL_DATE, LOCAL_DATE_TIME, ZONED_DATE_TIME, TIME_PERIOD, PERIOD, and DURATION.
serviceSettings Object Required Mutable The service settings object.
serviceSettings.maximumConcurrentReqests Integer Required Mutable The value must be greater than or equal to 1.
serviceSettings.maximumReqestsPerSecond Decimal Required Mutable The value must be greater than 0.
serviceSettings.timeoutMilliseconds Integer Required Mutable The value must be between 0 and 3000 (inclusive).
serviceSettings.type String Required Mutable The service type. Options are HTTP and CONNECTOR.

If the serviceSettings.type property is HTTP, the service supports the following service settings properties:

HTTP ServiceSettings property data model
Property Type? Required? Mutable? Description
type Object Required Immutable The type object.
url String Required Mutable The HTTP URL.
verb String Required Immutable The HTTP method. Options are GET, POST, PUT, DELETE, and HEAD.
body String Optional Mutable The HTTP request body.
contentType String Optional Mutable The HTTP request content type.
headers[] Array Optional Mutable The HTTP request headers. Each SPECIFIED HTTP header requires key and value properties. The value property input options are ATTRIBUTE or CONSTANT. If the value is an ATTRIBUTE, the input is expressed as a JSON object that specifies an attribute UUID. If the value is a CONSTANT, the input is a string.
authentication Object Required Mutable The authentication object. Authentication optinos are NONE, BASIC, TOKEN, and CLIENT_CREDENTIALS. For information about authentication type properties, see the data model table below.
tlsSettings Object Required Mutable The TLS object.
tlsSettings.tlsValidationType String Required Mutable The TLS validation type. Options are DEFAULT and NONE.
HTTP ServiceSettings authentication property data model

BASIC

Property Type? Required? Mutable? Description
name Object Required Mutable The user object.
name.id UUID Required Mutable The user name of the authenticator.
password Object Required Mutable The user object.
password.id UUID Required Mutable The password of the authenticator.

TOKEN

Property Type? Required? Mutable? Description
token Object Required Mutable The token object.
token.id UUID Required Mutable The token used to authenticate.

CLIENT_CREDENTIALS

Property Type? Required? Mutable? Description
tokenEndpoint String Required Mutable The token endpoint.
clientId String Required Mutable The client ID string.
clientSecret Object Required Mutable The client secret object.
clientSecret.id UUID Required Mutable The client secret string.
scope String Required Mutable The permissions that determine the resources that the application can access.
CONNECTOR data model properties
Property Type? Required? Mutable? Description
processor Object Optional Mutable The processor object, if specified.
valueType Object Required Mutable The value type object.
serviceSettings Object Required Mutable The service settings object for the CONNECTOR service type.
clientSecret.id UUID Required Mutable The client secret string.
scope String Required Mutable The permissions that determine the resources that the application can access.
CONNECTOR ServiceSettings property data model
Property Type? Required? Mutable? Description
type Object Required Immutable The type object.
channel Sting Required Mutable The channel value. Options are AUTHORIZE.
code String Required Mutable The code value. Options are P1_RISK.
capability String Required Mutable The capability associated with connector code and channel.
schemaVersion Integer Required Mutable The schema version in the connector template.
inputMappings[] Array Required Mutable The list of input mappings of matching the connector template.
inputMappings.type String Required Mutable The input mapping type. Options are ATTRIBUTE and INPUT. See the data model tables below for information about ATTRIBUTE and INPUT properties.
CONNECTOR inputMappings.type property data model

ATTRIBUTE

Property Type? Required? Mutable? Description
type Object Required Mutable The input mapping type.
value Object Required Mutable The input mapping value property.
value.id UUID Required Mutable An attribute ID.

INPUT

Property Type? Required? Mutable? Description
type Object Required Mutable The input mapping type.
value string Optional Mutable An input value.
Event types

The audit reporting events applicable to the authorization services service are:

Topic Event
authorize-model AUTHORIZE_SERVICE.CREATED
authorize-model AUTHORIZE_SERVICE.UPDATED
authorize-model AUTHORIZE_SERVICE.DELETED
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create Authorization Service

Test Authorization Service

Read Authorization Services

Read One Authorization Service

Update Authorization Service

Delete Authorization Service

Authorization Conditions

Conditions in PingOne Authorize define authorization logic by comparing one thing to another. Conditions evaluate to either true or false. The authorization conditions service provides endpoints to create, read, update, test, and delete trust framework authorization conditions.

Authorization conditions data model
Property Type? Required? Mutable? Description
condition Object Required Mutable The authorization condition object.
condition.type String Required Mutable The authorization condition type. Options are COMPARISON, AND, OR, EMPTY, NOT, REFERENCE.
condition.conditions[] Object Required Mutable A set of conditions.
condition.conditions.type String Required Mutable The type of condition.
condition.conditions.comparator String Required Mutable The operator used to evaluate the condition.
condition.conditions.left Object Required Mutable An object that defines the left side of the condition statement.
condition.conditions.right Object Required Mutable An object that defines the right side of the condition statement.
description String Optional Mutable The authorization condition resource's description.
fullName String Required Mutable A unique name generated by the system for each authorization condition resource. It is the concatenation of names in the condition resource hierarchy.
id String N/A Read only The resource's unique identifier.
name String Required Mutable A user-friendly authorization condition name.
parent Object Optional Mutable The authorization condition resource's parent.
parent.id String Optional Mutable The authorization condition resource's parent ID.
type String Optional Mutable The condition resource's type. Options are CONDITION.
version String Required Read only A random ID generated by the system for concurrency control purposes.
Authorization conditions condition type data model
Condition type Description
AND The and logical condition. Additional properties are:
  • conditions, the list of conditions that must be met.
OR The or logical condition. Additional properties are:
  • conditions, the list of conditions of which one must be met.
NOT The not logical condition. Additional properties are:
  • condition, the list of conditions.
EMPTY The empty condition, which specifies no conditions to be met.
REFERENCE The reference condition. Additional properties are:
  • reference, the reference object.
  • reference.id, the ID of an authorization condition.
COMPARISON The comparison condition. Additional properties are:
  • left, the value on the left side of the comparison operator.
  • right, the value on the right side of the comparison operator.
  • comparator, the comparison operator. Options are IS_MEMBER_OF, IS_NOT_MEMBER_OF, CONTAINS_GROUP, DOES_NOT_CONTAIN_GROUP, CONTAINS, NOT_CONTAINS, EQUALS, NOT_EQUALS, GREATER_THAN, GREATER_THAN_OR_EQUAL, LESSER_THAN, LESSER_THAN_OR_EQUAL, REGULAR_EXPRESSION, STARTS_WITH, NOT_STARTS_WITH, ENDS_WITH, NOT_ENDS_WITH, MATCHES, NOT_MATCHES, IS_IN, IS_NOT_IN, IN_CIDR_BLOCK, NOT_IN_CIDR_BLOCK
Event types

The audit reporting events applicable to the authorization condition service are:

Topic Event
authorize-model AUTHORIZE_CONDITION.CREATED
authorize-model AUTHORIZE_CONDITION.UPDATED
authorize-model AUTHORIZE_CONDITION.DELETED
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create Authorization Condition

Test Authorization Condition

Read Authorization Conditions

Read One Authorization Condition

Update Authorization Condition

Delete Authorization Condition

Authorization Processors

Authorization processors transform the data coming from the resolvers. Processors manipulate and transform data, including extracting details from structured data, or converting data to different formats. These endpoints provide operations to create, read, update, and delete authorizaton processor resources.

Authorization processors data model
Property Type? Required? Mutable? Description
description String Optional Mutable The authorization processor resource's description.
fullName String Required Mutable A unique name generated by the system for each authorization processor resource. It is the concatenation of names in the processor resource hierarchy.
id String N/A Read only The resource's unique identifier.
name String Required Mutable A user-friendly authorization processor name.
parent Object Optional Mutable The authorization processor resource's parent.
parent.id String Optional Mutable The authorization processor resource's parent ID.
processor Object Optional Mutable The authorization processor resource's processor object.
processor.type String Optional Mutable The authorization processor resource's processor type. Options are JSON_PATH, SPEL, XPATH, COLLECTION_FILTER, COLLECTION_TRANSFORM, CHAIN, REFERENCE. See Authorization processors processor type data model for additional properties for each processor type.
processor.name String Optional Mutable A user-friendly authorization processor name. The name value must be unique.
type String Optional Mutable The processor resource's processor type. Options are PROCESSOR.
version String Required Read only A random ID generated by the system for concurrency control purposes.
Authorization processors processor type data model
Processor type Description
JSON_PATH The JSON path expression processor. Additional properties are:
  • expression, the JSON path expression.
  • valueType, the output type for the value. Options are BOOLEAN, STRING, NUMBER, XML, JSON, COLLECTION, DATE_TIME, LOCAL_TIME, LOCAL_DATE, LOCAL_DATE_TIME.
CHAIN The CHAIN processor. Additional properties are:
  • processors, the list of processors to apply in the given order.
COLLECTION_FILTER The collection filter processor. Additional properties are:
  • predicate, the XPath expression.
COLLECTION_TRANSFORM The collection transform processor. Additional properties are:
  • processors, the list of processors to apply in the given order.
REFERENCE The reference processor. Additional properties are:
  • processor, the processor object.
  • processor.id, the ID of an authorization processor.
SPEL The SpEL expression processor. Additional properties are:
  • expression, the SpEL expression.
  • valueType, the output type for the value. Options are BOOLEAN, STRING, NUMBER, XML, JSON, COLLECTION, DATE_TIME, LOCAL_TIME, LOCAL_DATE, LOCAL_DATE_TIME.
XPATH The XPath expression processor. Additional properties are:
  • expression, the XPath expression.
  • valueType, the output type for the value. Options are BOOLEAN, STRING, NUMBER, XML, JSON, COLLECTION, DATE_TIME, LOCAL_TIME, LOCAL_DATE, LOCAL_DATE_TIME.
Event types

The audit reporting events applicable to the authorize processors service are:

Topic Event
authorize-model AUTHORIZE_PROCESSOR.CREATED
authorize-model AUTHORIZE_PROCESSOR.UPDATED
authorize-model AUTHORIZE_PROCESSOR.DELETED
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create Authorization Processor

Read Authorization Processors

Read One Authorization Processor

Update Authorization Processor

Delete Authorization Processor

Authorization Connector Templates

This endpoint provides an operation to view the authorization connector templates associated with the specified environment.

Connector templates data model
Property Type? Required? Mutable? Description
type String Required Immutable The type of connector template.
channel String Required Mutable The connector template channel.
code String Required Mutable The code associated with the service.
capability String Required Mutable The capability associated with the connector code and channel.
schemaVersion Integer Required Mutable The schema version of the connector template.
inputMappings Array Required mutable The list of input mappings of the connector template.
inputMappings.type String Required mutable The type of input mapping. Options are ATTRIBUTE, INPUT.
inputMappings.property string Required mutable The property associated with the input mapping.
cacheSettings Object Optional Mutable An object that specifies the cache settings.
cacheSettings.ttlSeconds Integer Optional Mutable The time to live setting specified in seconds.
Response codes
Code Message
200 Successful operation.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Read Authorization Connector Templates

PingOne Authorize Editor Policy Management

PingOne Authorize policies model business requirements into authorization logic using elements created in the PingOne Authorize Trust Framework.

Policies are based on application requirements and the regulations that you're complying with. Your organization imposes many conditions and constraints on access control. Policies capture these constraints in rules that define the circumstances under which users can access certain resources.

The policy management endpoints include:

Authorization Policies

Authorization policies specify the statements (directives that instruct the policy decision service to perform additional processing in conjunction with an authorization decision), conditions (authorization logic comparing one thing to another), and combining algorithms (the process for combining multiple rules) to determine an authorization decision.

Authorization policies data model
Property Type? Required? Mutable? Description
children Array Optional Mutable The list of child policies or rules. Can be either referenced or embedded.
combiningAlgorithm Object Required Immutable The algorithm that determines how rules are combined to produce an authorization decision. For details, see Authorization Rules.
condition Object Optional Mutable The authorization condition object. For details, see Authorization Conditions.
description String Optional Mutable The authorization policy resource's description.
enabled Boolean Optional Mutable The setting that determines whether the decision node is evaluated. The default value is true.
id String N/A Read only The policy resource's unique identifier.
name String Required Mutable A user-friendly policy name. The name value must be unique.
repetitionSettings Object Optional Mutable Applies the policy to each item of the specific attribute, filtered by decision.
repetitionSettings.source Object Optional Mutable The source associated with this rule.
repetitionSettings.source.id String Optional Mutable The UUID of the repetition source associated with this rule.
repetitionSettings.decision String Optional Mutable The decision filter. Options are PERMIT, DENY, NOT_APPLICABLE, and INDETERMINATE.
statements Object Optional Mutable The authorization statements object. Can be either referenced or embedded. For details, see Authorization Statements.
type String Required Mutable The attribute type. Options are POLICY.
version String Required Read only A random ID generated by the system for concurrency control purposes.
Authorization embedded policies data model
Property Type? Required? Mutable? Description
type String Required Mutable The embedded policy type. Options are POLICY.
value.id String Required Immutable The embedded policy ID.
name String Required Mutable The embedded policy name.
description String Optional Mutable The embedded policy description.
enabled Boolean Optional Mutable Specifies whether the embedded policy is enabled.
statements Object Optional Mutable The statements associated with this embedded policy.
conditions Object Optional Mutable The conditions associated with this embedded policy.
combiningAlgorithm Object Required Mutable The combining algorithm for the embedded policy.
children Array Optional Mutable The list of sub-child policies or rules associated with the embedded policy.
repetitionSettings Object Optional Mutable The repitition settings associated with the embedded policy.
Authorization policies embedded rules data model
Property Type? Required? Mutable? Description
type String Required Mutable The embedded rule type. Options are RULE.
value.id String Required Immutable The embedded rule ID.
name String Optional Mutable The embedded rule name.
description String Optional Mutable The child policy description.
enabled Boolean Optional Mutable Specifies whether the child policy is enabled.
statements Object Optional Mutable The statements associated with this child policy.
conditions Object Optional Mutable The conditions associated with this child policy.
effectSettings Object Required Immutable The settings that determine how the children are combined to produce an outcome for the policy.
Event types

The audit reporting events applicable to the authorize policies service are:

Topic Event
authorize-model AUTHORIZE_POLICIES.CREATED
authorize-model AUTHORIZE_POLICIES.UPDATED
authorize-model AUTHORIZE_POLICIES.DELETED
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create Authorization Policy

Test Authorization Policy

Read Authorization Policies

Read One Authorization Policy

Update Authorization Policy

Delete Authorization Policy

Authorization Statements

Statements instruct the policy decision service to perform additional processing in conjunction with an authorization decision. In addition to allowing or blocking access to a resource, using statements, the decision service can attach information to decision responses and filter and transform API payloads.

Authorization statements data model
Property Type? Required? Mutable? Description
appliesif String Required Mutable Specifies when to attach to a final decision. Options are ANYTHING, FINAL_DECISION_MATCHES, and PATCH_MATCHES.
appliesTo String Required Mutable Specifies what result the statement applies to. Options are ANYTHING, PERMIT, DENY, PERMIT_OR_DENY, and INDETERMINATE.
attributes Object Required Mutable The attributes attached to the statement.
code String Required Mutable The statement code.
description String Optional Mutable The authorization processor resource's description.
value.id String N/A Read only The resource's unique identifier.
name String Required Mutable A user-friendly authorization processor name. The name value must be unique.
obligatory Boolean Optional Mutable Specifies that the statement must be fulfilled as a condition of authorizing the decision request. The defaule is false.
payload String Required Mutable The statement payload.
services Object Required Mutable The services attached to the statement.
version String Required Read only A random ID generated by the system for concurrency control purposes.
Event types

The audit reporting events applicable to the authorize statements service are:

Topic Event
authorize-model AUTHORIZE_STATEMENT.CREATED
authorize-model AUTHORIZE_STATEMENT.UPDATED
authorize-model AUTHORIZE_STATEMENT.DELETED
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create Authorization Statement

Read Authorization Statements

Read One Authorization Statement

Update Authorization Statement

Delete Authorization Statement

Authorization Rules

Rules in PingOne Authorize identify the statements and conditions by which a decision node is evaluated. If the condition is true, the decision node is evaluated. Otherwise, it is not. PingOne Authorize policies can combine multiple rules to produce a Permit, Deny, Indeterminate, or Not Applicable decision.

Authorization rules data model
Property Type? Required? Mutable? Description
condition Object Optional Mutable The authorization condition object. For details, see Authorization Conditions.
description String Optional Mutable The authorization rule resource's description.
effectSettings Object Required Immutable An object that determines how the children are combined to produce an outcome for the policy.
enabled Boolean Optional Mutable The setting that determines whether the decision node is evaluated. The default value is true.
id UUID Required Read only The resource's unique identifier.
name String Required Mutable A user-friendly authorization rule name. The name value must be unique.
statements Object Optional Mutable The authorization statements object. For details, see Authorization Statements.
type String Required Immutable The condition resource's type. Options are CONDITION.
version UUID Required Read only A random ID generated by the system for concurrency control purposes.
Event types

The audit reporting events applicable to the authorization rules service are:

Topic Event
authorize-model AUTHORIZE_RULES.CREATED
authorize-model AUTHORIZE_RULES.UPDATED
authorize-model AUTHORIZE_RULES.DELETED
Response codes
Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Create Authorization Rule

Test Authorization Rule

Read Authorization Rules

Read One Authorization Rule

Update Authorization Rule

Delete Authorization Rule