PingAuthorize API Reference

Policy Decision

The PingAuthorize Server provides Authorization Policy Decision APIs to support non-API use cases.

The Authorization Policy Decision APIs consist of the following policy decision point (PDP) APIs:

The Authorization Policy Decision APIs can indicate when a request or response triggers advice, but the application server must implement the advice.

To make a PDP API available, you must:

XACML-JSON PDP API Reference

The XACML-JSON PDP API provides a standards-based HTTP API for decisions determined based on the policies configured within the PingAuthorize Server Policy Decision Service.

The XACML-JSON PDP API is implemented as a single endpoint that consuming application servers can access using POST requests to the /pdp path. The HTTP requests must include the appropriate Content-Type and Accept headers, and request bodies must adhere to the XACML-JSON standard. For more information, see Requests and responses.

The XACML-JSON PDP API supports the Multirequests JSON object, which allows a client to make multiple decision requests in a single HTTP request.

A successful XACML-JSON PDP API request goes through a two-phase flow:

  1. The client makes the XACML-JSON request, which is received by the XACML-JSON PDP API. The API converts the request to a PingAuthorize Server batch decision request and attempts to authorize the client.

  2. On successful authorization, the request is handed off to the Policy Decision Service to process decisions in batch for the XACML-JSON PDP API. The API then converts the batch decision responses to a XACML-JSON response and writes the response to the client.

Authorization

Before calculating a decision, the XACML-JSON PDP API attempts to authorize the client making the XACML-JSON PDP API request by invoking the Policy Decision Service.

To target a PDP authorization request in-policy, it must apply to the PDP Service and the authorize Action. The default policies included with PingAuthorize Server perform this authorization by only permitting requests with active access tokens that contain the urn:pingauthorize:pdp scope.

For example, under the default policies, the following request would result in an authorized client when the PDP is configured with a mock access token validator:

curl --insecure -X POST \
  -H 'Authorization: Bearer {"active":true,"scope":"urn:pingauthorize:pdp", "sub":"<valid-subject>"}' \
  -H 'Content-Type: application/xacml+json' \
  -d '{"Request":{}}' "https://<your-pingauthorize-host>:<your-pingauthorize-port>/pdp"

The default policies are intended to provide a foundation. You can modify these policies if additional authorization logic is required.

Decision processing

On successful client authorization, the XACML-JSON PDP API invokes the Policy Decision Service with the batch decision requests converted from the XACML-JSON request.

When writing policy for the XACML-JSON PDP API endpoint, you should note the mapping between the XACML-JSON schema and the PingAuthorize Server decision request. For more information, see Requests and Responses.

After the Policy Decision Service determines a decision response, it hands the response back to the XACML-JSON PDP API to provide to the client.

Requests and responses

The POST /pdp operation authorizes the client using the MultiRequests JSON object. On successful client authorization, the XACML-JSON PDP API invokes the Policy Decision Service with batch decision requests converted from the XACML-JSON request.

The {{apiPath}} variable in this request represents the client's PingAuthorize host and port. For example, https://<your-pingauthorize-host>:<your-pingauthorize-port>.


Authorize client with MultiRequests JSON object

JSON PDP API Reference

The JSON policy decision point (PDP) API provides an HTTP API for decisions determined by the policies configured within the PingAuthorize Server Policy Decision Service.

The JSON PDP API is implemented with an individual decision request endpoint, a batch request endpoint, and a query decision request endpoint that consuming application servers can access using POST requests to the /governance-engine, /governance-engine/batch, or /governance-engine/query paths, respectively.

A successful JSON PDP API request goes through the following flow:

  1. The client makes the JSON request, which is received by the JSON PDP API. The API forwards the request to the PDP.

  2. When the PDP returns a response, the API sends the response to the client.

By default, decision responses from the JSON PDP API will include, at minimum, basic information about the server instance, the API resources, and the inbound and outbound flow of data. You can use the X-Respond-With request header to modify the verbosity of the decision response. Add one X-Respond-With request header for each decision response view you wish to receive. For more information about decision response views and allowed values, see About the Decision Response View.

Batch requests

Batch requests consist of an array named "requests" of JSON objects, each of which is a standard JSON PDP API single decision request.

After the Policy Decision Service determines a decision response, it hands the response back to the JSON PDP API to provide to the client. JSON PDP API responses include decisions, such as Permit or Deny, and any obligations or advice that matched during policy processing.

The batch decision responses are guaranteed to be returned in the same order as the received responses. For example, the first response in the batch responses corresponds to a decision on the first request in the batch requests.


Authorize client with batch decision

Individual requests

A valid JSON PDP API request is a simple JSON object that can be forwarded to the Policy Decision Service. Policies can match a decision request by Service, Domain, Action, or other attributes.

The following table describes the values contained in a valid JSON PDP API request.

Field Type Required PingAuthorize Trust Framework type Example value
domain string no Domain Sales.Asia Pacific
action string no Action Retrieve
service string no Service Mobile.Landing page
identityProvider string no Identity Provider Social Networks.Spacebook
attributes map<string, string> yes Other Attributes {"Prospect name": "B. Vo"}

Authorize client with individual decision

Policy queries

Policy queries enable you to drive user interfaces and proactively evaluate authorization policy behavior through dynamic decision requests containing unbounded and multivalued attributes.

Decision requests with query attributes check which combinations of subject, action, and resource produce a PERMIT decision result in a specified context. Open-ended and multivalued requests increase decision efficiency by eliminating the need for batch requests to answer such questions as "Which accounts can this user access?" or "Can this user read or delete this resource?"

If a decision request including a subject, action, and resource produces a PERMIT response, that subject is authorized to perform that action on that resource. Policy administrators specify which users (subjects) can access system resources and which actions they can perform on those resources, given a range of dynamic, contextual data points evaluated at runtime. This data can include user roles, identity attributes, organization rules and policies, or a combination of them.


Query decision request

Policy Editor

The PingAuthorize Policy Editor APIs provide the tools to implement attribute-based access control and dynamic authorization management.

Authentication

Before making requests to the PingAuthorize Policy Editor endpoints, you must be authenticated. The following authentication methods are supported:

Method Description
None Provide the x-user-id header with a userID value.
OIDC Provide a valid token.
LDAP Provide valid client credentials.

Paginated responses

Many of the PingAuthorize Policy Editor endpoints have the term “Paginated” appended to the response (e.g. Collection of Policy (Paginated)). Since these endpoints typically return several entities in a single response body, pagination limits the number of entities returned by specifying query parameters.

The following example represents a JSON paginated response:

{
    "pagination": {
        "page": 1,
        "pageSize": 10,
        "totalItems": 1,
        "totalPages": 1
    },
    "data": [
        {
            <data>
        }
    ]
}

In this example, the first page is returned with a limit of 10 entities. Since there is only a single entity and page, represented by the totalItems and totalPages properties, a second page is not queryable. In this case, the totalItems needs to reach 11 for a second page to be queryable.

Query parameters for paginated responses

Use the following query parameters for pagination:

Query parameter Description
page Indicates which page of entities to return. For example, if the first page of entities returned does not contain a specific entity, then set page to 2 to return the next set of entities.
page-size Indicate the maximum number of entities returned.

Entity History

These endpoints provide the capabilities to read the history of a specific entity version, such as a trust framework, policy manager, and test suite entities.

Entity types

The following table shows entity types and descriptions:

Type Description
Definition Any Trust Framework or Test Suite entity type (i.e. Attribute, Service, Target, Condition, Test Case, Test Scenario).
Policy Policy type.
PolicySet PolicySet type.
Rule Rule type.
Statement Statement type.
Target Target type.

Read Entity with Specific Version

Trust Framework

The PingAuthorize Trust Framework defines all the entities that your organization can use to build policies. These entities include, for example, the HTTP request attributes that describe API requests protected by PingAuthorize Server and the services that identify the REST APIs themselves.

The PingAuthorize trust framework service provides endpoints to define the entities and configurations to target policies and rules when making dynamic authorization requests.

Authorization Trust Framework definition data model

Property Type? Required? Mutable? Description
description String N/A N/A Arbitrary description for the definition.
fullName String N/A N/A A unique name generated by the system for each definition. It’s the concatenation of names in the definition hierarchy.
id String N/A Read only The resource's unique identifier.
name String N/A N/A Arbitrary name for the definition.
numberOfChildren String N/A N/A Number of children of the definition.
parentId String N/A N/A ID of the parent definition.
permissions Object N/A N/A Permissions of the definition.
properties N/A N/A N/A Properties of the definition.
type Object Required Mutable Type of the definition. See DefinitionType (ENUM) for all value options.
version String Required Read only A unique ID generated by the system for concurrency control purposes.

Authorization test case (definition) data model

Property Type? Required? Mutable? Description
testCase Object N/A N/A The field that was changed.

Authorization test scenario (definition) data model

Property Type? Required? Mutable? Description
testScenario Object N/A N/A The field that was changed.

Authorization assertion (definition) data model

Property Type? Required? Mutable? Description
assertion Object N/A N/A The field that was changed.

Authorization attribute (definition) data model

Property Type? Required? Mutable? Description
cacheConfig Object N/A N/A Whether to use caching and if so, a configuration of how to cache.
defaultValue String N/A N/A The default value of the attribute if no resolvers are applied.
isSecret Boolean N/A N/A If true, don’t display the value in decision tree logs.
querySettings Object N/A N/A Allows the user to specify an attribute to resolve its value from, so the user can call the decision engine and refer to the attribute without having to specify its value.
repetitionSource String N/A N/A The ID of the attribute with ValueType “Collection” to get the values from and (maybe process and) output each value. Set resolver to “Current Repetition Value” to use each value from the collection.
resolvers Object N/A N/A The resolvers dictate where the attribute gets its initial value from, which may then be processed by processors. The first resolver to satisfy its condition from top to bottom is the one that is used to derive the value.
valueProcessor Object N/A N/A The processor takes the current value of the attribute and transforms it to another value and/or type.
valueType Object N/A N/A The resulting type of the value of the attribute. See ValueType (ENUM) for all value options.

Authorization effective permissions data model

Property Type? Required? Mutable? Description
definedOn Object N/A N/A The type and ID of the entity which the permission is defined for.
effectivePermissions Object N/A N/A A collection of permissions that the effective permission has.
inherited Boolean N/A N/A Whether the permission is inherited or not.

Authorization condition (definition) data model

Property Type? Required? Mutable? Description
condition Object N/A N/A The condition that defines the condition definition.

Authorization identity class (definition) data model

Property Type? Required? Mutable? Description
identityProperties List N/A N/A List of IDs of identity properties.

Authorization identity provider (definition) data model

Property Type? Required? Mutable? Description
identityProperties List N/A N/A List of IDs of identity properties.

Authorization service (definition) data model

Property Type? Required? Mutable? Description
cacheSettings Object N/A N/A Cache settings for the service.
isSecret Boolean N/A N/A If true, don’t display the value in decision tree logs.
serviceSettings Object N/A N/A Allows the user to specify an attribute to resolve its value from, so the user can call the decision engine and refer to the attribute without having to specify its value.
serviceType Object N/A N/A Describes the type of service. See See ServiceType (ENUM) for all value options.
resolvers Object N/A N/A The resolvers dictate where the attribute gets its initial value from, which may then be processed by processors. The first resolver to satisfy its condition from top to bottom is the one that is used to derive the value.
valueProcessor Object N/A N/A The processor takes the current value of the attribute and transforms it to another value and/or type.
valueType Object N/A N/A The resulting type of the value of the attribute. See ValueType (ENUM) for all value options.

Authorization value processor (definition) data model

Property Type? Required? Mutable? Description
valueProcessor Object N/A N/A The processor that makes up the processor definition.

Authorization entity path segment data model

Property Type? Required? Mutable? Description
id String N/A N/A The unique ID of the entity.
shared Boolean N/A N/A The type of the entity.
type String N/A N/A Whether the entity is shared or not.

DefinitionType (ENUM)

Values
ACTION
ASSERTION
ATTRIBUTE
CONDITION
DOMAIN
IDENTITY_CLASS
IDENTITY_PROPERTY
IDENTITY_PROVIDER
NONE
SERVICE
TEST_CASE
TEST_SCENARIO
VALUE_PROCESSOR

ServiceType (ENUM)

Values
CAMEL
DATABASE
LDAP
NONE
RESTFUL

ValueType (ENUM)

Values
BOOLEAN
COLLECTION
DATE_TIME
DURATION
JSON
LOCAL_DATE
LOCAL_DATE_TIME
LOCAL_TIME
NUMBER
PERIOD
STRING
TIME_PERIOD
XML
ZONED_DATE_TIME

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Trust Framework Testing

Trust Framework testing in PingAuthorize enables you to validate the type conversion of policy information points (PIP) included in decision requests and the logical behavior of conditions.

The PingAuthorize Trust Framework test endpoint allows you to test attribute, condition, and service definitions.

Authorization entity testing data model

Property Type? Required? Mutable? Description
attributeValueOverrides Map<String, String> N/A N/A A map of attribute value overrides, where the key is the attribute name and the value is the overridden value.
decisionRequest Object N/A N/A The decision request object containing the details of the decision to be made.
serviceValueOverrides Map<String, String> N/A N/A A map of service value overrides, where the key is the service name and the value is the overridden value.

Authorization decision status data model

Property Type? Required? Mutable? Description
code Object N/A N/A An enumeration of the possible decision evaluation statuses. Can be null. Values: OKAY, GUARD FAILED, INTERNAL GUARD FAILED, MISSING_ATTRIBUTE, TYPE_CONVERSION_ERROR, PROCESSING_ERROR, TIMEOUT.
messages Object N/A N/A Any status messages describing the status code. Can be null.
errors Object N/A N/A Any decision errors produced during an evaluation. Can be null.

Authorization decision error data model

Property Type? Required? Mutable? Description
code Object N/A N/A An enumeration of the possible decision evaluation statuses. Can be null. Values: OKAY, GUARD FAILED, INTERNAL GUARD FAILED, MISSING_ATTRIBUTE, TYPE_CONVERSION_ERROR, PROCESSING_ERROR, TIMEOUT.
messages String N/A N/A A description of the error. Can be null.

Create Trust Framework Test Attribute Definition


Create Trust Framework Test Condition Definition


Create Trust Framework Test Service Definition


Read Trust Framework Definition (ID)


Read Trust Framework Definition Children (ID)


Read Trust Framework Definition Children (Type and Full Name)


Read Trust Framework Definition Dependencies


Read Trust Framework Definition Effective Permissions (ID)


Read Trust Framework Definition Version History (ID)


Read Trust Framework Definition Path (ID)


Read All Trust Framework Root Definition (Type)


Read Trust Framework Definition Test Cases (ID)


Read Trust Framework Definition (Type and Full Name)


Read All Trust Framework Definitions (Type)


Read Trust Framework Definition (Parent Type and Full Name)


Create Trust Framework Root Definition (Type)


Create Trust Framework Definition (Parent ID)


Create Trust Framework Definition (Parent Type and Full Name)


Update Trust Framework Definition (Parent Type and Full Name)


Update Trust Framework Definition (ID)


Delete Trust Framework Definition (ID)


Delete Trust Framework Definition (Parent Type and Full Name)

Policy Manager

The Policy Manager APIs provide a powerful way to implement attribute-based access control and dynamic authorization for your organization's services and data. These APIs allow you to define and enforce policies that determine whether a given resource request should be permitted or denied, enabling fine-grained, context-aware access control.

Use the following components in policies and rules to capture authorization logic:

  • Conditions: Define authorization logic by comparing one thing to another.

  • Targets: Use comparisons to help the decision service determine which policies or rules are relevant to a particular request.

  • Statements: Instruct the decision service to perform additional processing in conjunction with an authorization decision. In addition to allowing or blocking access to a resource, using statements, the decision service can attach information to decision responses and filter and transform API payloads.

  • Combining algorithms: To evaluate the overall decision of a policy, the decision service applies a combining algorithm. The algorithm determines how rules are combined to produce an authorization decision.

Policies

Authorization policies specify the statements (directives that instruct the policy decision service to perform additional processing in conjunction with an authorization decision), conditions (authorization logic comparing one thing to another), and combining algorithms (the process for combining multiple rules) to determine an authorization decision.

This enables you to build policies that answer the question "Should this resource-access request be permitted or denied?. The PingAuthorize policies endpoint allows you to create, read, update, and delete policies.

Authorization policy data model

Property Type? Required? Mutable? Description
children Array Optional Mutable The list of child policies or rules. Can be either referenced or embedded.
combiningAlgorithm Object Required Immutable The algorithm that determines how rules are combined to produce an authorization decision. For details, see Authorization Rules.
condition Object Optional Mutable The authorization condition object. For details, see Authorization Conditions.
description String Optional Mutable The authorization policy resource's description.
disabled Boolean Optional Mutable Whether the Policy is disabled or not.
id String N/A Read only The policy resource's unique identifier.
name String Required Mutable A user-friendly policy name. The name value must be unique.
repetitionSettings Object Optional Mutable Applies the policy to each item of the specific attribute, filtered by decision.
shared Boolean N/A N/A Whether the Policy is shared or not.
statements Object Optional Mutable A collection of Statement IDs, see Authorization Statements.
targets String N/A N/A A collection of Target IDs.
type String Required Mutable The attribute type. Value is always POLICY.
version String Required Read only The unique version ID of the Policy.

Authorization policy representation data model

Property Type? Required? Mutable? Description
children Array Optional Mutable The list of child policies or rules. Can be either referenced or embedded.
combiningAlgorithm Object Required Immutable The algorithm that determines how rules are combined to produce an authorization decision. For details, see Authorization Rules.
condition Object Optional Mutable The authorization condition object. For details, see Authorization Conditions.
description String Optional Mutable The authorization policy resource's description.
disabled Boolean Optional Mutable Whether the Policy is disabled or not.
id String N/A Read only The policy resource's unique identifier.
name String Required Mutable A user-friendly policy name. The name value must be unique.
repetitionSettings Object Optional Mutable Applies the policy to each item of the specific attribute, filtered by decision.
shared Boolean N/A N/A Whether the Policy is shared or not.
statements Object Optional Mutable A collection of Statement IDs, see Authorization Statements.
targets String N/A N/A A collection of Target IDs.
version String Required Read only The unique version ID of the Policy.

Policy node representation

Either a PolicyRepresentation, PolicySetRepresentation, or PolicyNodeReference.

Authorization policy node reference data model

Property Type? Required? Mutable? Description
id String N/A Read only The policy resource's unique identifier.
type String Required Mutable The attribute type. Value is always POLICY.

Authorization repetition settings data model

Property Type? Required? Mutable? Description
decision Object N/A N/A Decision used as a filter.
source String N/A N/A ID of the repetition source being referenced.

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Read All Policies


Read One Policy (ID)


Read Policy Effective Permissions (ID)


Read Policy Version History (ID)


Read All Parent PolicySets of Policy (ID)


Read Policy with Dependencies (ID)


Read Policy Path (ID)


Read All Root Policies


Read All Entities that Reference Policy


Create Policy


Update Policy (ID)


Update Parent PolicySets of Policy (ID)


Delete Policy (ID)

Policy Sets

A policy set in PingAuthorize is a container for one or more policies. These endpoints provide the ability to create, read, update, and delete policy sets in the PingAuthorize policy manager.

Authorization policy set data model

Property Type? Required? Mutable? Description
children Array Optional Mutable References of the child policies and policy sets.
combiningAlgorithm Object Required Immutable Governs how the children are combined to produce an outcome for the policy set
condition Object Optional Mutable An object representing the targeting condition within the policy set.
description String Optional Mutable The authorization policy set resource's description.
disabled Boolean Optional Mutable Whether the policy set is disabled or not.
id String N/A Read only The policy set resource's unique identifier.
name String Required Mutable The name of the policy set.
shared Boolean N/A N/A Whether the policy set is shared or not.
statements String Optional Mutable A collection of statement IDs.
targets String N/A N/A A collection of Target IDs.
type String Required Mutable The attribute type. Value is always PolicySet.
version String Required Read only The unique version ID of the policy set.

Authorization policy set representation data model

Property Type? Required? Mutable? Description
children Array Optional Mutable Child policies and policy sets, either in the form of a new in-line policy / policy set (PolicyRepresentation / policy setRepresentation), or a reference to a library policy / policy set (PolicyNodeReference).
combiningAlgorithm Object Required Immutable Governs how the children are combined to produce an outcome for the policy set.
condition Object Optional Mutable An object representing the targeting condition within the policy set.
description String Optional Mutable The authorization policy set resource's description.
disabled Boolean Optional Mutable Whether the policy set is disabled or not
id String N/A Read only The policy set resource's unique identifier.
name String Required Mutable The name of the policy set.
shared Boolean N/A N/A Whether the policy set is shared or not.
statements Object Optional Mutable A collection of Statement IDs.
targets String N/A N/A A collection of Target IDs.
version String Required Read only The unique version ID of the policy set.

Policy node representation

Either a PolicyRepresentation, PolicySetRepresentation, or PolicyNodeReference.

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Read All PolicySets


Read All Root PolicySets


Read All PolicySet Reference Entities (ID)


Read One PolicySet


Read PolicySet Path (ID)


Read PolicySet with Dependencies


Read Parent PolicySets of PolicySet


Read PolicySet Version History


Read PolicySet Effective Permissions


Create PolicySet


Update PolicySet


Update Parent PolicySet (ID)


Delete PolicySet

Rules

Policy rules power the fine-grained access control capability of PingAuthorize. Rules contain logical conditions that evaluate to true or false. Policies can include one or more rules to produce a fine-grained authorization decision of Permit, Deny, Indeterminate, or Not Applicable.

To evaluate the overall decision of a policy, the policy decision point (PDP) applies a combining algorithm. The default algorithm that is set on a new policy is The first applicable will be the final decision. This algorithm stops evaluating as soon as it reaches a decision that is not Not Applicable.

Authorization rules data model

Property Type? Required? Mutable? Description
condition Object Optional Mutable An object representing the conditions within the Rule.
description String Optional Mutable The authorization rule resource's description.
disabled Boolean Optional Mutable Whether the Rule is disabled or not.
effectSettings Object Required Immutable Determines whether the rule results in a permit or deny.
id UUID Required Read only The resource's unique identifier.
name String Required Mutable The name of the rule.
statements Object Optional Mutable A collection of Statement IDs.
targets String N/A N/A A collection of Target IDs.
type String Required Immutable The entity type. Value is always RULE.
version UUID Required Read only The unique version ID of the Rule.

Rule node representation

Either a RuleRepresentation or a RuleReference.

Authorization rule representation data model

Property Type? Required? Mutable? Description
condition Object Optional Mutable An object representing the conditions within the Rule. For details, see Authorization Conditions.
description String Optional Mutable The authorization rule resource's description.
disabled Boolean Optional Mutable Whether the Rule is disabled or not.
effectSettings Object Required Immutable Determines whether the rule results in a permit or deny.
id UUID Required Read only The resource's unique identifier.
name String Required Mutable The name of the rule.
statements Object Optional Mutable A collection of Statement IDs. For details, see Authorization Statements.
targets String N/A N/A A collection of Target IDs.
version UUID Required Read only The unique version ID of the Rule.

Authorization rule reference data model

Property Type? Required? Mutable? Description
id UUID Required Read only The resource's unique identifier.
type String Required Immutable The entity type. Value is always RULE.

ConditionalPermitElseDeny

Property Type? Required? Mutable? Description
condition String Required Read only The condition that determines whether the result is permit or deny.

ConditionalDenyElsePermit

Property Type? Required? Mutable? Description
condition String Required Read only The condition that determines whether the result is permit or deny.

EffectSettings

Property Subtypes
{type} The type of effect settings, either: “unconditionalPermit”,”unconditionalDeny”,”conditionalPermitElseDeny”,”conditionalDenyElsePermit”

CombingAlgorithm

Subtypes
DenyOverrides
DenyUnlessPermit
DenyUnlessThreshold
FirstApplicable
OnlyOneApplicable
PermitOverrides
PermitUnlessDeny

Decision (ENUM)

Values
DENY
INDETERMINATE
NOT_APPLICABLE
PERMIT

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.

Read All Rules


Read All Parent Policies of Rule (ID)


Read One Rule (ID)


Read Rule Path (ID)


Read Rule with Dependencies (ID)


Read Rule Effective Permissions (ID)


Read All Entities that Reference the Rule (ID)


Read Rule Version History (ID)


Read Root Rules


Create Rule


Update Rule


Update Parent Policies of Rule (ID)


Delete Rule

Statements

A statement is a directive that instructs the policy enforcement point (PEP) to perform additional actions alongside an authorization decision.

By adding statements to the Library, you can easily add them to your policies. Without statements, policies simply return a permit or deny decision. With statements, you can include additional information in decisions, such as adding response headers on a permit decision or including a message with a deny decision. Statements only apply when a rule or policy returns a permit or deny decision. They are not included in decisions that are indeterminate or not applicable.

The Policy Editor comes with the following pre-configured statements:

  • Add Filter: Use the add-filter code to add administrator-required filters to System for Cross-domain Identity Management (SCIM) search queries.

  • Combine SCIM Search Authorizations: Use the combine-scim-search-authorizations code to optimize policy processing for SCIM search responses.

  • Denied Reason: Use the denied-reason code to allow a policy writer to provide an error message that contains the reason for denying a request.

  • Exclude Attributes: Use the exclude-attributes code to specify the attributes to exclude from a JSON response.

  • Filter Response: Use the filter-response code to direct PingAuthorize Server to invoke policy iteratively over each item of a JSON array contained within an API response.

  • Include Attributes: Use the include-attributes code to limit the attributes that a JSON response can return.

  • Modify Attributes: Use the modify-attributes code to modify the values of attributes in the JSON request or response.

  • Modify Headers: Use the modify-headers code to modify the values of request headers before PingAuthorize sends them to the upstream server or to modify the values of response headers before PingAuthorize returns them to the client.

  • Modify Query: Use the modify-query to modify the query string of the request sent to the API server.

  • Modify SCIM Patch: Use the modify-scim-patch code to add operations to a SCIM patch in a modify request before it is submitted to the store adapter.

  • Regex Replace Attributes: Use the regex-replace-attributes to specify a regex to search for attributes in a request or response body and replace their values with a regex replacement string.

For more information about statement codes and payloads, see Statements in the PingAuthorize Policy Administration Guide.

The statements endpoint provides operations for creating, reading, updating, and deleting policy statements. Each operation requires either a branch ID or a statement ID in the request URL.

Statements data model
Property Type Required Mutable Description
id String N/A Read-only Specifies the ID of the statement.
version String N/A Read-only Specifies the version ID of the statement.
type String Optional Mutable Specifies the resource type. Always set to statement.
name String Required Mutable Specifies the name of the statement.
description String Optional Mutable Provides a description of the statement.
shared Boolean Optional Mutable A boolean that specifies whether or not the statement is shared between policy entities.
code String Required Mutable Specifies a unique statement type identifier.
appliesTo String Optional Mutable Specifies the type of decisions the statement is attached to. Allowable values are ANYTHING, PERMIT, DENY, PERMIT_OR_DENY, or INDETERMINATE. Defaults to ANYTHING.
appliesIf String Optional Mutable Specifies the condition under which the statement is returned in the decision response. Allowable values are ANYTHING, FINAL_DECISION_MATCHES, and PATH_MATCHES. Defaults to PATH_MATCHES.
payload String Optional Mutable Specifies the set of parameters governing the actions performed when PingAuthorize applies the statement. The appropriate payload value depends on the statement type.
obligatory Boolean Optional Mutable A boolean that determines whether the final decision applies only if the statement can be fulfilled.
attributes String[] Optional Mutable Specifies the IDs of attributes to include in the statement payload.
services String[] Optional Mutable Specifies the IDs of services to include in the statement payload.
effectivePermissions JSON[] N/A Read-only Specifies a list of permissions assigned to the statement. Each permission object contains the following fields:
* permission: The operation for which permission is enabled. For example, READ.
* role: The role to which the permission is assigned.
definedOn String N/A Read-only Specifies the unique ID of the statement to which permissions are assigned.
inherited Boolean N/A Read-only Specifies whether or not permissions are inherited from a parent entity.
pageHeader.entityId UUID N/A Read-only Specifies the unique ID of the statement for which a version history is being retrieved.
pageHeader.entityType String N/A Read-only Specifies the type of entity for which a version history is being retrieved.
version UUID N/A Read-only Specifies the unique ID of a statement version.
deltaId UUID N/A Read-only Specifies the unique ID of a snapshot delta.
snapshotId UUID N/A Read-only Specifies the unique ID of a snapshot.
timestamp String N/A Read-only Specifies the date and time at which a delta was generated.
user String N/A Read-only Specifies the user who was signed when the delta was generated.
Result filtering data model
Filtering parameter Description
page Specifies the page number of results to return.
page-size Specifies the number of results to return per page.
onlyShared Set to true to only list the statements shared between policy entities. Set to false to list all statements defined in the system.
Response codes
Code Message
200 Successful operation.
201 Successful operation.
400 A branch, snapshot or JSON value has not been specified correctly, or is missing.
404 The statement with the given ID was not found.
409 The statement ID in the URL does not match the statement ID in the request body.
409 The statement is referred to somewhere else and cannot be deleted until those references are removed.

Create Statement


Read All Statements


Read One Statement


Read Statement Dependencies


Read Statement Effective Permissions


Read Statement Version History


Read Statement Path


Read Statement References


Update Statement


Delete Statement

Targets

Targets define the conditions that determine when policies and rules apply to decision requests.

Targets enable the decision service to evaluate whether a policy or rule is relevant to a specific request. If a target's condition is true, the rule or policy will be evaluated. Otherwise, the rule or policy is not applicable to the decision request. The library makes targeting logic available for easy reuse across policies and rules.

The targets endpoint provides operations for creating, reading, updating, and deleting policy targets. Each operation requires either a branch ID or a statement ID in the request URL.

Targets data model
Property Type Required Mutable Description
id String N/A Read-only Specifies the ID of the target.
version String N/A Read-only Specifies the version ID of the target to update.
type String Optional Mutable Specifies the resource type. Always set to target.
name String Required Mutable Specifies the name of the target.
description String Optional Mutable Provides a description of the target.
shared Boolean Optional Mutable A boolean that determines whether the target is shared between policy entities or not.
disabled Boolean Optional Mutable A boolean that determines whether the target is disabled or not.
targeted Object{} Optional Mutable Specifies a list of object collections mapping definition types to entity IDs. For example, {"actions": ["b072d76e-0085-4423-99c2-4e16b74e88fa"]}. The allowed definition types are actions, services, domains, and identityClasses.
effectivePermissions JSON[] N/A Read-only Specifies a list of permissions assigned to the statement. Each permission object contains the following fields:
* permission: The operation for which permission is enabled. For example, READ.
* role: The role to which the permission is assigned.
definedOn String N/A Read-only Specifies the unique ID of the target to which permissions are assigned.
inherited Boolean N/A Read-only Specifies whether or not permissions are inherited from a parent entity.
pageHeader.entityId UUID N/A Read-only Specifies the unique ID of the target for which a version history is being retrieved.
pageHeader.entityType String N/A Read-only Specifies the type of entity for which a version history is being retrieved.
version UUID N/A Read-only Specifies the unique ID of a target version.
deltaId UUID N/A Read-only Specifies the unique ID of a snapshot delta.
snapshotId UUID N/A Read-only Specifies the unique ID of a snapshot.
timestamp String N/A Read-only Specifies the date and time at which a delta was generated.
user String N/A Read-only Specifies the user who was signed in when the delta was generated.
Response codes
Code Message
200 Successful operation.
400 A valid branch or snapshot has not been specified.
400 The target ID is not formatted correctly.
404 The target with the provided ID was not found.
409 The ID in the URL and the ID in the request body do not match.
409 The target with the given ID is referred to elsewhere in the system and cannot be deleted until all such references are removed.

Create Target


Read All Targets


Read One Target


Read Target Dependencies


Read Target Effective Permissions


Read Target Version History


Read Target Path


Read Target References


Update Target


Delete Target

Test Cases


Read All Test Cases (PolicySet/Policy/Rule)

Decision Node Testing


Create Test Evaluation of Decision Node (ID)

Test Suite

Use the test suite to define test cases, test scenarios, and assertions to validate the behavior of Trust Framework and policy entities.

Building a library of test cases supports a test-driven approach to policy and Trust Framework development. This library can serve as a suite of regression checks, ensuring consistent behavior with each new version of your policies or Trust Framework.

Test scenarios include the subject, resources, actions, and attributes relevant to a decision, as well as optional overrides for attribute and service values. Test cases build on test scenarios by:

  • specifying which policy, rule, or Trust Framework definition to test, and
  • adding optional assertions to validate the decision result.

After you define a test scenario, you can reference that scenario by ID in your test cases.

For more information about each test suite entity type, see Test Suite in the PingAuthorize Policy Administration Guide.

The test suite endpoint provides operations for creating, reading, updating, and deleting test suite entities. Each operation requires either a branch ID or a statement ID in the request URL.

Test suite data model

Test case data model
Property Type Required Mutable Description
id UUID N/A Read-only Specifies the ID of the test case.
version UUID N/A Read-only Specifies the version ID of the test scenario.
name String Required Mutable Specifies the unique name of the test case.
description String Optional Mutable Provides a description for the test case.
parentId UUID Optional Mutable Specifies the ID of the test case parent.
objectType String N/A Mutable Specifies the type of the entity being created or updated. Always set to TestCaseDefinition.
permissions.rolePermissions JSON[] Optional Mutable Provides a collection of permissions as permission:role key-value pairs. For example, [{"WRITE": "Role 1"}].
permissions.inherit Boolean Optional Mutable Specifies whether the test case inherits permissions from its parent or not.
testCase.testedEntities Test entity[] Optional Mutable Provides a collection of entities to include in the test case.
testCase.testedEntities.assertions Assertion[] Optional Mutable Specifies an assertion object to include with the test case.
testCase.testScenarioDefinitionId String Optional Mutable Specifies the ID of a test scenario to reference in the test case.
testCase.testScenario.request.domainId String Optional Mutable Specifies the ID of a domain to include in the test request.
testCase.testScenario.request.serviceId String Optional Mutable Specifies the ID of a service to include in the test request.
testCase.testScenario.request.identityProviderId String Optional Mutable Specifies the ID of an identity provider to include in the test request.
testCase.testScenario.request.actionId String Optional Mutable Specifies the ID of an action to include in the test request.
testCase.testScenario.attributeOverrides JSON Optional Mutable Specifies how to override attribute values with a list of key-value pairs. For example, {"3577dd53-a71a-4ce8-ab40-c9c083c7c5b9": "override-value"}.
testCase.testScenario.serviceOverrides JSON Optional Mutable Specifies how to override service values with a list of key-value pairs. For example, {"3553dd53-a71a-4ce8-fb40-c9c083c7c5g9": "override-value"}.
Test scenario data model
Property Type Required Mutable Description
id UUID N/A Read-only Specifies the ID of the test scenario.
version UUID N/A Read-only Specifies the version ID of the test scenario.
name String Required Mutable Specifies the unique name of the test scenario.
description String Optional Mutable Provides a description for the test scenario.
parentId UUID Optional Mutable Specifies the ID of the test scenario parent.
objectType String N/A Mutable Specifies the type of the entity being created or updated. Always set to TestScenarioDefinition.
permissions.rolePermissions JSON[] Optional Mutable Provides a collection of permissions as permission:role key-value pairs. For example, [{"WRITE": "Role 1"}].
permissions.inherit Boolean Optional Mutable Specifies whether the test scenario inherits permissions from its parent or not.
testScenario.request.domainId String Optional Mutable Specifies the ID of a domain to include in the test request.
testScenario.request.serviceId String Optional Mutable Specifies the ID of the service to include in the test request.
testScenario.request.identityProviderId String Optional Mutable Specifies the ID of the identity provider to include in the test request.
testScenario.request.actionId String Optional Mutable Specifies the ID of the action to include in the test request.
testScenario.attributeOverrides JSON Optional Mutable Specifies how to override attribute values with a list of key-value pairs. For example, {"3577dd53-a71a-4ce8-ab40-c9c083c7c5b9": "override-value"}.
testScenario.serviceOverrides JSON Optional Mutable Specifies how to override service values with a list of key-value pairs. For example, {"3553dd53-a71a-4ce8-fb40-c9c083c7c5g9": "override-value"}.
Test entity data model
Property Type Required Mutable Description
entityId UUID N/A Read-only Specifies the unique ID of the entity to include in the test case.
entityType String Required Immutable Specifies the type of the entity to include in the test case. For example, String.
assertions Assertion[] Optional Mutable Provides a collection of assertions to include in the test case.
Assertion data model
Property Type Required Mutable Description
id UUID N/A Read-only Specifies the ID of the assertion.
version UUID N/A Read-only Specifies the version ID of the assertion.
parentId UUID Optional Mutable Specifies the ID of a parent for the assertion.
name String Required Mutable Specifies the unique name of the assertion.
description String Optional Mutable Provides a description for the assertion.
objectType String N/A Mutable Specifies the type of the entity being created or updated. Always set to AssertionDefinition.
permissions.inherit Boolean Optional Mutable Determines whether the assertion inherits permissions from its parent.
permissions.rolePermissions JSON[] Optional Mutable Provides a collection of permissions as permission:role key-value pairs. For example, [{"WRITE": "Role 1"}].
assertion.type String Required Mutable Specifies the assertion type. For example, json-path. To use an already-defined assertion in a test case, set the type to referenced.
assertion.accessor String Required Mutable Specifies a JSONPath accessor to extract information from the response.
assertion.comparator String Optional Mutable Specifies a comparison to perform between the extracted value and the expected value. Defaults to EQUALS. For detailed information about comparators, refer to Conditions in the PingAuthorize Policy Administration Guide.
assertion.expectation.valueType String Required Mutable Specifies the type of the expected value. For example, String.
assertion.expectation.value String Required Mutable Specifies the expected value.

Create Root Test Suite Entity


Create Child Test Suite Entity


Create Test Suite Entity by Type and Full Name


Read Test Suite Entity Path


Read Test Suite Entity Children


Read Test Suite Entity Children by Type and Full Name


Read Test Suite Entity Dependencies


Read Test Suite Entity Effective Permissions


Read Test Suite Entity Version History


Read One Test Suite Entity


Read Test Suite Entity by Type and Full Name


Read All Test Suite Entities by Type


Read All Root Test Suite Entities by Type


Update Test Suite Entity


Update Test Suite Entity by Type and Full Name


Delete Test Suite Entity


Delete Test Suite Entity by Type and Full Name

Test Runner

Using the test runner, you can validate policy and Trust Framework configurations through automated testing.

A test run executes one or more test cases, or an entire test suite, and returns the results.

Test runner data model

Property Type Required Mutable Description
description String Optional Immutable A string that provides a description for the test run.
testCaseIds String[] Required Immutable A collection that includes a list of test case IDs to be added to the test run.

Response codes

Code Message
200 Successful operation.
400 A valid branch or snapshot has not been specified.

Create Test Run


Read All Test Run Reports


Read One Test Run Report


Read Full Test Result


Read All Test Result Summaries


Read Summaries of Recently Executed Test Results


End Test Run

Snapshot Service

Snapshots provide a comprehensive, point-in-time representation of the system's configuration and policy state. Stored as a .snapshot file, they allow you to capture and preserve the state of your authorization environment, enabling straightforward replication of policy and Trust Framework configuration across environments. Snapshots support version control and change management by allowing teams to safely experiment with policy updates or system changes, and quickly revert to a previous state if necessary.

Each snapshot is associated with a specific commit. For more information on managing snapshots in the Policy Editor, see Snapshot Manager.

Snapshot service data model

Property Type Required Mutable Description
id UUID N/A Read-only Specifies the unique ID of the newly created branch.
name String Required Mutable Specifies the name of the newly created branch.
head UUID N/A Read-only Specifies the unique ID of the snapshot at the head of the newly created branch.
parentId UUID N/A Read-only Specifies the unique ID of the parent of the newly created branch, if such a parent exists.
tip.id UUID N/A Read-only Specifies the unique ID of the snapshot at the tip of the newly created branch.
tip.parentId UUID N/A Read-only Specifies the unique ID of the parent of the snapshot at the tip of the newly created branch, if such a parent exists.
tip.state String N/A Read-only Specifies the state of the imported snapshot. The state is either COMMITTED or UNCOMMITTED.
tip.commitDetails JSON N/A Read-only Provides details of the commit associated with the imported snapshot.
tip.approvals String[] N/A Read-only Provides a list of approval user IDs associated with the imported snapshot.
tip.branchId UUID N/A Read-only Specifies the unique ID of the imported snapshot's original branch.
<objectType> JSON[] Required Immutable Provides an array of the JSON objects contained in an exported snapshot.
<objectType> Snapshot Entity[] Optional Immutable Provides an array of entities to include in a partial snapshot.

Snapshot entity reference data model

Property Type Required Mutable Description
id UUID Required Immutable Specifies the unique ID of the entity to include in a partial snapshot.
type String Required Immutable Specifies the type of entity to include in a partial snapshot. See Entity types for a list of allowable values.
includeChildren Boolean Required Immutable A boolean that determines wether to include children of an entity being included in a partial snapshot.

Conflict data model

Property Type Required Mutable Description
id UUID N/A Read-only Specifies the unique ID of the entity creating a conflict.
type String N/A Read-only Specifies the type of entity creating a conflict. See Entity types for a list of possible values.
name String N/A Read-only The name of the entity creating the conflict.
conflict String[] N/A Read-only Provides a list of types of conflict that occurred in the merge process. The two types of conflict are COLLISION and DUPLICATE_FULL_NAME.

Conflict resolution data model

Property Type Required Mutable Description
id UUID Required Immutable Specifies the unique ID of the conflict resolution.
type String Required Immutable Specifies the type of entity to resolve a conflict for. See Entity types for a list of allowable values.
resolution String Required Immutable Specifies how to resolve the merge conflict by either retaining the incoming changes (TAKE_SNAPSHOT) or the existing version (TAKE_MINE).

Response codes

Code Message
200 Successful operation.
400 A valid JSON value has not been specified correctly or the body provided is not a snapshot.
400 An invalid UUID format has been specified.
404 There is no snapshot in the system with the provided ID.
409 Branch name already exists.
409 Conflicts found.

Export Snapshot


Import Snapshot


Merge Snapshot into Branch

Version Control

Branch Manager

The branch manager provides operations to create snapshots, as well as read, update, and merge policy branches.

Policy branches enable you to manage different sets of Trust Framework definitions and policies by storing these sets in separate branches. This is helpful in development environments, where you might need to quickly reconfigure PingAuthorize between policy branches.

To easily switch between policy branches and test configurations, define Policy External Servers for each branch and update the Policy Decision Service's policy-server property. Learn more in Changing the active policy branch.

Branch manager data model
Property Type Required Mutable Description
name String Required Mutable Specifies the name of the policy branch.
message String Required Immutable Provides the commit message for creation of a new snapshot.
fromBranchId String Required Immutable Specifies the branch to merge changes from.
resolutions Resolution[] Optional Mutable A collection that includes resolution objects for resolving merge conflicts.
Resolution data model
Property Type Required Mutable Description
resolutionType String Required Immutable Specifies the action to resolve the conflict.
entityReference Entity reference[] Required Immutable Provides a collection of entities causing the conflict.
Entity reference
Property Type Required Mutable Description
id String N/A Read-only Specifies the ID of the entity.
type String N/A Read-only Specifies the entity type.
Response codes
Code Message
201 Changes from the source branch were successfully merged into the destination branch.
204 Successful operation.
404 There is no branch in the system with the given ID.
409 The merge failed due to conflicting changes in the source and destination branches.

Rename Branch


Merge Branches


Create Snapshot


Read All Branches


Read One Branch


Read Uncommitted Changes


Delete Branch and Children


Delete Recent Uncommitted Changes

Snapshot Manager

A snapshot is a set of committed Trust Framework and policy changes made on a branch. You can import and export snapshots to create policy backups and transfer policy configuration between Policy Editor instances.

Snapshot manager data model
Property Type Required Mutable Description
name String Required Mutable A string that defines a name for the newly created policy branch.
Response codes
Code Description
200 Successful operation.
400 The UUID provided is not in the correct format.
400 Branch limit exceeded. Please delete a branch before trying to create any more.
404 There is no branch in the system with the given ID.
404 There is no snapshot in the system with the given ID.
409 The branch name already exists.

Approve Snapshot


Remove Approval of Snapshot


Create Child Branch From Snapshot


Read All Snapshots


Read One Snapshot


Read Difference Between Snapshots


Read Deltas of One Snapshot


Read Snapshot Root


Read Version Control Entry Point

Deployment Package

A deployment package in PingAuthorize is a compiled version of the policy tree. The deployment packages includes all trust framework entities consumed by the policy tree and is the key element that is deployed to PingAuthorize Server.

This service provides the ability to read, create, update, and delete deployment packages.

Authorization deployment package data model

Property Type? Required? Mutable? Description
approvals Object N/A N/A The approvals for the deployment package.
createdBy String N/A N/A The identifier of the user who created the deployment package.
dateCreated String N/A N/A The date and time of when the deployment package was created.
decisionNodeId String N/A N/A The identifier of the root decision node this deployment package is evaluating from.
decisionNodeName String N/A N/A The name of the root decision node.
id String N/A N/A The unique identifier for the deployment package.
name Object N/A N/A The name of the deployment package.
snapshotDateCommitted Instant N/A N/A The date and time when the snapshot was committed.
snapshotId String N/A N/A The identifier of the snapshot associated with the deployment package.
snapshotMessage String N/A N/A The message or description of the snapshot.

Authorization deployment package approval data model

Property Type? Required? Mutable? Description
dateApproved Instant N/A N/A The date and time when the approval was given.
user String N/A N/A The identifier of the user who approved the deployment package.

Read All Deployment Packages


Read One Deployment Package


Read Deployment Package Data (ID)


Create Deployment Package Approval


Create Deployment Package


Delete Deployment Package Approval


Delete Deployment Package

System

Check the system status to make sure the Policy Editor instance is running.

System data model

Property Type Required Mutable Description
started String N/A Read-only Specifies the date and time of system initialization.
status String N/A Read-only Specifies the system status. For example, RUNNING.

Response codes

Code Message
200 Successful operation.

Read System Status

Governance Engine

Authorization decision response buffer configuration data model

Property Type? Required? Mutable? Description
entries Integer N/A N/A The number of entries in the decision response buffer.
filter String N/A N/A The filter applied to the decision responses.
name String N/A N/A The name of the decision response buffer configuration.
secretsSymmetricKey String N/A N/A The base64-encoded symmetric key used for encryption.

Read Buffer Configuration


Read All Previously Evaluated Buffer Decisions

SCIM

Data types and resources

The PingAuthorize Server’s SCIM APIs use the data types and resource format specified by the SCIM 2.0 schema standard, RFC 7643.

SCIM data types

SCIM attributes are typed. The following data types are used:

Data Type Description
string A JSON string.
boolean A JSON boolean value. May have either of the literal values true or false.
decimal A JSON floating-point number.
integer A JSON integer number.
dateTime A JSON string representing a timestamp. SCIM DateTime values are always encoded as an xsd:dateTime value, as specified by XML Schema, section 3.3.7.
binary A JSON string representing a binary value. SCIM binary values are always base64-encoded.
reference A JSON string representing a reference to another resource. A SCIM reference is always a URI: This may be a URN, the URL of another SCIM resource, or simply another URL. URLs may be absolute or relative.
complex A JSON object. A SCIM complex attribute is a composition of sub-attributes; these sub-attributes may have any data type except for “complex”.

A SCIM attribute may also be multi-valued. All members of a multi-valued attribute must be of the same data type.

SCIM resource format

A SCIM resource is always represented as a JSON object.

The attributes available in any particular SCIM resource type are defined by the schemas associated with the resource type. A resource type has at least one core schema and may have zero or more extension schemas. An extension schema may be configured to be either required or optional for a resource to be valid.

SCIM schemas provide the means of namespacing JSON attributes. Every schema is identified by a unique schema URN prefix. When specifying attributes, the schema URN prefix is implied for attributes belonging to the core schema but must be provided for attributes belonging to extension schemas. Consider this example resource:

{
  "schemas": [
    "urn:pingidentity:schemas:User:1.0",
    "urn:pingidentity:schemas:sample:profile:1.0"
  ],
  "id": "5caa81af-ec05-41ff-a709-c7378007a99c",
  "meta": {
    "created": "2016-06-07T13:13:30.873Z",
    "lastModified": "2016-06-07T13:13:30.873Z",
    "resourceType": "Users",
    "location": "https://example.com/scim/v2/Users/5caa81af-ec05-41ff-a709-c7378007a99c"
  },
  "userName": "joe.chip",
  "name": {
    "familyName": "Chip",
    "formatted": "Joe Chip",
    "givenName": "Joe"
  },
  "accountVerified": true,
  "urn:pingidentity:schemas:sample:profile:1.0": {
    "termsOfService": [
      {
        "id": "urn:X-pingidentity:ToS:StandardUser:1.0",
        "timeStamp": "2014-11-23T16:36:59Z",
        "collector": "urn:X-pingidentity:App:Mobile:1.0"
      }
    ]
  }
}

This resource has two schemas:

  1. A core schema: urn:pingidentity:schemas:User:1.0
  2. An extension schema: urn:pingidentity:schemas:sample:profile:1.0

The core schema attribute userName may be specified as userName or as urn:pingidentity:schemas:User:1.0.

The extension schema attribute termsOfService may only be specified as urn:pingidentity:schemas:sample:profile:1.0.

Common attributes

In addition to core schema and extension schema attributes, all SCIM resources of any type may have certain common attributes. These attributes never need to be namespaced with a URN.

Common attribute Description
id An immutable unique identifier for the resource. This attribute is always present.
externalId An optional identifier assigned to the resource by the client that provisioned it.
meta A complex read-only attribute containing resource metadata. Its sub-attributes are described in the following table.
Meta sub-attribute Description
resourceType The resource type.
created A timestamp indicating the resource’s creation date.
lastModified A timestamp indicating the time of the resource’s last update.
location The canonical URI of the resource.

List responses

Some SCIM responses, such as search responses, contain multiple resources. These responses are called list responses and have a consistent format using the following fields:

Field Type Provided? Description
schemas array always The SCIM schema of the list response. Always contains the value urn:​ietf:​params:​scim:​api:​messages:​2.​0:​ListResponse.
totalResults number always The number of matching resources.
startIndex number The 1-based index of the first result in the current set of list results. Always present if pagination is used.
itemsPerPage number The number of resources returned per page. Always present if pagination is used.
Resources array always An array consisting of one or more resource objects. For example, this may contain all of the User resources matching a search query.

Authorization

By default, the access token provided by the client in the request (see Authentication) is used to control access to requested resources. The PingAuthorize Server’s access control policies are customizable, but in general, the scopes granted by the access token determine which resources and attributes are returned.

If access controls determine that the client cannot access the requested resource, then a response with a 403 status code is returned.

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:Error"
    ],
    "scimType": "insufficient_scope",
    "status": 403,
    "detail": "Requested operation not allowed by the granted OAuth2 scopes."
}

A client may be allowed to access a resource but not all of its attributes. Clients should be prepared to receive incomplete resources, including resources stripped of attributes that are required by the schema.

For information about how to configure an application appropriately for SCIM API access, see configuring scopes in the PingAuthorize Server client developer guide.

Authentication

Clients authenticate to the SCIM APIs by using bearer token authentication, as defined by RFC 6750. Every request must include an Authorization request header, where the header value uses the form Bearer {access token}.

A bearer token must be obtained from an external authorization server, such as PingFederate.


READ User Name

Requests and responses

For each resource type, the PingAuthorize Server exposes a SCIM endpoint. For example:

  • /scim/v2/Users
  • /scim/v2/Products
  • /scim/v2/Suppliers

Making requests

Each resource is addressable by an identifier; the combination of a resource type name (Users) and the identifier (5caa81af-ec05-41ff-a709-c7378007a99c) uniquely identifies the resource to the PingAuthorize Server. For example:

/scim/v2/Users/5caa81af-ec05-41ff-a709-c7378007a99c

Media types

All requests and responses use the UTF-8 character encoding and are formatted as JSON. Clients must accept either the application/scim+json or application/json media types, and the request should always provide an Accept request header with one or both values.

When providing a request body (as with POST, PUT, and PATCH requests), clients should include a Content-Type request header with the value application/scim+json or application/json.

Updating resources

SCIM resources are modified using the PUT and PATCH methods, described by sections 3.5.1 and 3.5.2 of RFC 7644, respectively. See the user profile API reference for examples.

HTTP method Description
PUT Replace an existing resource with a resource representation specified in the body of the request. Typically used after a client has obtained a resource using GET.
PATCH Perform a partial modification of a resource against specific attributes specified by the client. A PATCH request uses the following operation types: add, remove, replace.

Because access controls enforced by the PingAuthorize Server’s policies and scopes can limit a client’s view of a resource, the server must assume that the client may not have access to all attributes of a resource. This is important for PUT requests, because the server needs to distinguish between a case in which the client explicitly wishes to remove an attribute and a case in which the client does not know about an attribute. The general rule is that the server ignores an attribute that is omitted from a PUT request, rather than deleting it. If a client explicitly wishes to delete an attribute, then it should set its value to null.

When a client requests a modification, the PingAuthorize Server computes the difference between the current state of the resource and the state specified by the modification request, applying a minimal set of changes when passing the modification request to the user store. In effect, this means that a PUT request is ultimately treated as if it were a PATCH request. This prevents unnecessary modifications from being sent to the user store and, more importantly, also prevents the client from inadvertently removing attributes that it did not specify because it did not have access to them.

The PingAuthorize Server performs this diffing logic at the attribute and sub-attribute level, comparing each attribute in a modification request against the corresponding attribute in the current resource. For multivalued, complex attributes, the server iterates through the values in the modification request and tries to find the corresponding value in the current resource to determine a match. If it is found, it then diffs at the sub-attribute level.

This behavior is summarized by the following table.

Operation Result
PUT Request omitting a simple single-valued attribute (such as userName). No change.
PUT or PATCH request setting a simple single-valued attribute to null. The attribute is deleted.
PUT or PATCH request replacing the value of a multi-valued attribute, omitting an existing member. The omitted attribute is deleted.
PUT or PATCH request replacing the value of a complex attribute, omitting an existing sub-attribute. No change to the omitted sub-attribute.

For example, if the current value of a resource’s phoneNumbers attribute is:

"phoneNumbers": [
   {
      "value": "054-757-2291",
      "type": "work",
      "primary":"true"
   }
]

And a modification request includes:

"phoneNumbers": [
   {
      "value": "054-757-2291",
      "primary": "false"
   }
]

Then the final result is:

"phoneNumbers": [
   {
      "value": "054-757-2291",
      "type": "work",
      "primary": "false"
   }
]

When finding a matching value in a complex attribute, matches of the value, $ref, type, and display sub-attribute values are given more weight when compared to values of other sub-attributes. This is done because the above sub-attribute values are typically unique for any given complex attribute.

Specifying attributes to return

By default, all attributes that the client is authorized to read will be returned when a resource is requested. Your application can provide special query parameters to override this behavior.

Parameter Description
attributes Indicates the set of attributes to include in the response. Takes a comma-separated list of attribute names. Extension schema attribute names must be prefixed with the extension schema URN.
excludedAttributes Indicates a set of attributes to exclude from the response. Takes a comma-separated list of attribute names. Extension schema attribute names must be prefixed with the extension schema URN.

The /Me endpoint

A special endpoint is available at /scim/v2/Me that acts as an alias for the currently authenticated user, the user associated with the bearer token.

For example, if the currently authenticated user is available via the path /scim/v2/Users/5caa81af-ec05-41ff-a709-c7378007a99c, then the same user resource will also be available through /scim/v2/Me. The two paths are interchangeable, and the /Me endpoint can be substituted in any request path where the combination of resource type and identifier might otherwise be used.

This includes sub-resources. For example, for an authenticated user with the ID 5caa81af-ec05-41ff-a709-c7378007a99c, the paths /scim/v2/Users/5caa81af-ec05-41ff-a709-c7378007a99c/password and /scim/v2/Me/password both identify the user’s password sub-resource.

Filtering searches

Some but not all endpoints support an optional filter parameter for filtering responses containing multiple resources. As a rule of thumb, if a SCIM path returns a single resource, it does not support filtering. If it returns multiple resources, then it generally supports filtering. For example, /scim/v2/Users supports filtering, but /scim/v2/Users/{userId} does not.

SCIM filtering is described in detail by RFC 7644, section 3.4.2.2, and that should be considered an authoritative reference. The following discussion should not be considered exhaustive.

The value of the filter parameter is a search filter, which typically takes the form <attribute> <operator> <value>. For example:

filter=userName eq "pkd"

Search responses are always list responses, except in the case of an error.

The following attribute operators are supported:

Operator Description
eq equal
ne not equal
co contains
sw starts with
ew ends with
pr present
gt greater than
ge greater than or equal to
lt less than
le less than or equal to

The following logical operators are supported:

Operator
and
or
not

The following grouping operators are supported:

Operator Description
() Groups expressions to alter precedence.
[] Contains a filter expression to be applied to a complex attribute. See example below.

The following is a sample of filtering by a core attribute:

filter=userName eq "pkd"

The following is a sample of filtering by an extended attribute using the ‘starts with’ operator:

filter=urn:pingidentity:schemas:sample:profile:1.0:birthDate sw "1939"

The following is a sample of a complex filter:

filter=emails[value eq "glen@runciter.com"]

The following is a sample of a complex filter with two expressions:

filter=emails[value eq "glen@runciter.com" and type eq "work"]

For more information about searching with SCIM, including caveats, see the client developer guide.

Pagination

The client can provide pagination parameters to page through search result sets.

Parameter Description
startIndex The 1-based index of the first query result.
count A non-negative integer specifying the maximum number of matching resources to return per page. If 0 is specified, then no resources will be returned, but the totalResults field will still indicate the number of matching resources.

Search Users with GET


Search Users with POST

Service metadata

The PingAuthorize Server provides three service metadata endpoints, ServiceProviderConfig, Schemas, and ResourceTypes, which clients may use to discover information about the service’s capabilities, configuration, schemas, and resource types.

Clients do not necessarily need to rely on the service metadata endpoints. Clients may be developed based on an out-of-band understanding of the service configuration and data.


READ SCIM service provider configuration


READ SCIM schemas


READ One SCIM schema


READ SCIM resource types


READ One SCIM resource type

User profile

The user profile endpoint exposes user attributes from the PingAuthorize Server’s user store as SCIM resources.

Note that the schemas used, the resource type, and the endpoint name may all be configured differently than shown here.

This guide assumes that the PingAuthorize Server is configured to serve user resources at the /scim/v2/Users endpoint. The information in this reference is applicable to any resource type, however.


CREATE A User


READ Search Users (POST)


READ Search Users (GET)


READ One User


UPDATE All User attributes (PUT)


UPDATE Replace one or more User attributes (PATCH)


UPDATE Add a member to User attributes (PATCH)


UPDATE Remove a value from User attributes (PATCH)


DELETE a User

Me endpoint

A special endpoint is available at /scim/v2/Me that acts as an alias for the currently authenticated user, the user associated with the bearer token.

For example, if the currently authenticated user is available via the path /scim/v2/Users/5caa81af-ec05-41ff-a709-c7378007a99c, then the same user resource will also be available through /scim/v2/Me. The two paths are interchangeable, and the /Me endpoint can be substituted in any request path where the combination of resource type and identifier might otherwise be used.

This includes sub-resources. For example, for an authenticated user with the ID 5caa81af-ec05-41ff-a709-c7378007a99c, the paths /scim/v2/Users/5caa81af-ec05-41ff-a709-c7378007a99c/password and /scim/v2/Me/password both identify the user’s password sub-resource.


READ One User (Me Endpoint)


UPDATE All User attributes (Me Endpoint)


UPDATE Replace one or more User attributes (PATCH) (Me Endpoint)


UPDATE Add a member to User attributes (PATCH) (Me Endpoint)


UPDATE Remove a value from User attributes (PATCH) (Me Endpoint)


DELETE a User (Me Endpoint)

Errors

Like all other responses, errors are returned as SCIM responses with a media type of application/scim+json.

Field Type Provided? Description
schemas array always SCIM schemas used in the error message. The schemas array will always include the value urn:​ietf:​params:​scim:​api:​messages:​2.​0:​Error to identify the message as an error. Other schema values may be present if Ping Identity-proprietary error fields are used.
status number always The HTTP status code of the error. This will always be in the 400 or 500 range.
scimType string An error code defined by RFC 7644, section 3.12.
detail string A human-readable error description. In some cases, this field may contain error messages received from the underlying data store.
{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:Error"
    ],
    "scimType": "invalid_token",
    "status": 401,
    "detail": "Access token is expired or otherwise invalid."
}

Password update errors

If an error response is returned because of a password update failure, then an additional field will be provided under the urn:unboundid:scim:api:messages:2.0:PasswordUpdateError schema URN.

Field Type Provided? Description
passwordRequirements array An array of password quality requirements, which are rules that must be satisfied in order to successfully change a password. See here for a description of password quality requirements.
{
     "detail": "The provided new password cannot be the same as the current password or any password in the user's password history",
     "schemas": [
         "urn:pingidentity:scim:api:messages:2.0:PasswordUpdateError"
     ],
     "scimType": "invalidValue",
     "status": 400,
     "urn:pingidentity:scim:api:messages:2.0:PasswordUpdateError": {
         "passwordRequirements": [
             {
                 "additionalInfo": "The provided new password cannot be the same as the current password or any password in the user's password history.",
                 "description": "The new password must not be the same as the current password.",
                 "requirementSatisfied": false,
                 "type": "notCurrentPassword"
             }
         ]
     }
 }

Changelog

The following changes have been made to the PingAuthorize SCIM API.

Release Date Description
6/9/2022 The PingAuthorize SCIM API Reference migrated from Postman.