PingAuthorize API Reference
Policy Decision
The PingAuthorize Server provides Authorization Policy Decision APIs to support non-API use cases.
The Authorization Policy Decision APIs consist of the following policy decision point (PDP) APIs:
-
This API provides a standards-based interface.
Standards-based enforcement points request policy decisions based on a subset of the XACML-JSON standard. For more information, see XACML 3.0 JSON Profile 1.1.
-
This API provides a simple interface.
The Authorization Policy Decision APIs can indicate when a request or response triggers advice, but the application server must implement the advice.
To make a PDP API available, you must:
- Configure the PingAuthorize Server with a feature-enabled license during setup.
- Configure the PDP Service. For more information, see Use policies in a production environment.
- For the XACML-JSON PDP API, configure an Access Token Validator. For more information, see Access Token Validators.
XACML-JSON PDP API Reference
The XACML-JSON PDP API provides a standards-based HTTP API for decisions determined based on the policies configured within the PingAuthorize Server Policy Decision Service.
The XACML-JSON PDP API is implemented as a single endpoint that consuming application servers can access using POST requests to the /pdp
path. The HTTP requests must include the appropriate Content-Type
and Accept
headers, and request bodies must adhere to the XACML-JSON standard. For more information, see Requests and responses.
The XACML-JSON PDP API supports the Multirequests JSON object, which allows a client to make multiple decision requests in a single HTTP request.
A successful XACML-JSON PDP API request goes through a two-phase flow:
-
The client makes the XACML-JSON request, which is received by the XACML-JSON PDP API. The API converts the request to a PingAuthorize Server batch decision request and attempts to authorize the client.
-
On successful authorization, the request is handed off to the Policy Decision Service to process decisions in batch for the XACML-JSON PDP API. The API then converts the batch decision responses to a XACML-JSON response and writes the response to the client.
Authorization
Before calculating a decision, the XACML-JSON PDP API attempts to authorize the client making the XACML-JSON PDP API request by invoking the Policy Decision Service.
To target a PDP authorization request in-policy, it must apply to the PDP
Service and the authorize
Action. The default policies included with PingAuthorize Server perform this authorization by only permitting requests with active access tokens that contain the urn:pingauthorize:pdp
scope.
For example, under the default policies, the following request would result in an authorized client when the PDP is configured with a mock access token validator:
curl --insecure -X POST \
-H 'Authorization: Bearer {"active":true,"scope":"urn:pingauthorize:pdp", "sub":"<valid-subject>"}' \
-H 'Content-Type: application/xacml+json' \
-d '{"Request":{}}' "https://<your-pingauthorize-host>:<your-pingauthorize-port>/pdp"
The default policies are intended to provide a foundation. You can modify these policies if additional authorization logic is required.
Decision processing
On successful client authorization, the XACML-JSON PDP API invokes the Policy Decision Service with the batch decision requests converted from the XACML-JSON request.
When writing policy for the XACML-JSON PDP API endpoint, you should note the mapping between the XACML-JSON schema and the PingAuthorize Server decision request. For more information, see Requests and Responses.
After the Policy Decision Service determines a decision response, it hands the response back to the XACML-JSON PDP API to provide to the client.
Requests and responses
The POST /pdp
operation authorizes the client using the MultiRequests JSON object. On successful client authorization, the XACML-JSON PDP API invokes the Policy Decision Service with batch decision requests converted from the XACML-JSON request.
The {{apiPath}}
variable in this request represents the client's PingAuthorize host and port. For example, https://<your-pingauthorize-host>:<your-pingauthorize-port>
.
Authorize client with MultiRequests JSON object
JSON PDP API Reference
The JSON policy decision point (PDP) API provides an HTTP API for decisions determined by the policies configured within the PingAuthorize Server Policy Decision Service.
The JSON PDP API is implemented with an individual decision request endpoint, a batch request endpoint, and a query decision request endpoint that consuming application servers can access using POST requests to the /governance-engine
, /governance-engine/batch
, or /governance-engine/query
paths, respectively.
A successful JSON PDP API request goes through the following flow:
-
The client makes the JSON request, which is received by the JSON PDP API. The API forwards the request to the PDP.
-
When the PDP returns a response, the API sends the response to the client.
By default, decision responses from the JSON PDP API will include, at minimum, basic information about the server instance, the API resources, and the inbound and outbound flow of data. You can use the X-Respond-With request header to modify the verbosity of the decision response. Add one X-Respond-With request header for each decision response view you wish to receive. For more information about decision response views and allowed values, see About the Decision Response View.
Batch requests
Batch requests consist of an array named "requests
" of JSON objects, each of which is a standard JSON PDP API single decision request.
After the Policy Decision Service determines a decision response, it hands the response back to the JSON PDP API to provide to the client. JSON PDP API responses include decisions, such as Permit
or Deny
, and any obligations or advice that matched during policy processing.
The batch decision responses are guaranteed to be returned in the same order as the received responses. For example, the first response in the batch responses corresponds to a decision on the first request in the batch requests.
Authorize client with batch decision
Individual requests
A valid JSON PDP API request is a simple JSON object that can be forwarded to the Policy Decision Service. Policies can match a decision request by Service
, Domain
, Action
, or other attributes.
The following table describes the values contained in a valid JSON PDP API request.
Field | Type | Required | PingAuthorize Trust Framework type | Example value |
---|---|---|---|---|
domain |
string | no | Domain | Sales.Asia Pacific |
action |
string | no | Action | Retrieve |
service |
string | no | Service | Mobile.Landing page |
identityProvider |
string | no | Identity Provider | Social Networks.Spacebook |
attributes |
map<string, string> | yes | Other Attributes | {"Prospect name": "B. Vo"} |
Authorize client with individual decision
Policy queries
Policy queries enable you to drive user interfaces and proactively evaluate authorization policy behavior through dynamic decision requests containing unbounded and multivalued attributes.
Decision requests with query attributes check which combinations of subject, action, and resource produce a PERMIT
decision result in a specified context. Open-ended and multivalued requests increase decision efficiency by eliminating the need for batch requests to answer such questions as "Which accounts can this user access?" or "Can this user read or delete this resource?"
If a decision request including a subject, action, and resource produces a PERMIT
response, that subject is authorized to perform that action on that resource. Policy administrators specify which users (subjects) can access system resources and which actions they can perform on those resources, given a range of dynamic, contextual data points evaluated at runtime. This data can include user roles, identity attributes, organization rules and policies, or a combination of them.
Related topics
Query decision request
Policy Editor
The PingAuthorize Policy Editor APIs provide the tools to implement attribute-based access control and dynamic authorization management.
Authentication
Before making requests to the PingAuthorize Policy Editor endpoints, you must be authenticated. The following authentication methods are supported:
Method | Description |
---|---|
None | Provide the x-user-id header with a userID value. |
OIDC | Provide a valid token. |
LDAP | Provide valid client credentials. |
Paginated responses
Many of the PingAuthorize Policy Editor endpoints have the term “Paginated” appended to the response (e.g. Collection of Policy (Paginated)). Since these endpoints typically return several entities in a single response body, pagination limits the number of entities returned by specifying query parameters.
The following example represents a JSON paginated response:
{
"pagination": {
"page": 1,
"pageSize": 10,
"totalItems": 1,
"totalPages": 1
},
"data": [
{
<data>
}
]
}
In this example, the first page is returned with a limit of 10 entities. Since there is only a single entity and page, represented by the totalItems
and totalPages
properties, a second page is not queryable. In this case, the totalItems
needs to reach 11 for a second page to be queryable.
Query parameters for paginated responses
Use the following query parameters for pagination:
Query parameter | Description |
---|---|
page |
Indicates which page of entities to return. For example, if the first page of entities returned does not contain a specific entity, then set page to 2 to return the next set of entities. |
page-size |
Indicate the maximum number of entities returned. |
Entity History
These endpoints provide the capabilities to read the history of a specific entity version, such as a trust framework, policy manager, and test suite entities.
Entity types
The following table shows entity types and descriptions:
Type | Description |
---|---|
Definition |
Any Trust Framework or Test Suite entity type (i.e. Attribute, Service, Target, Condition, Test Case, Test Scenario). |
Policy |
Policy type. |
PolicySet |
PolicySet type. |
Rule |
Rule type. |
Statement |
Statement type. |
Target |
Target type. |
Read Entity with Specific Version
Trust Framework
The PingAuthorize Trust Framework defines all the entities that your organization can use to build policies. These entities include, for example, the HTTP request attributes that describe API requests protected by PingAuthorize Server and the services that identify the REST APIs themselves.
The PingAuthorize trust framework service provides endpoints to define the entities and configurations to target policies and rules when making dynamic authorization requests.
Authorization Trust Framework definition data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
description |
String | N/A | N/A | Arbitrary description for the definition. |
fullName |
String | N/A | N/A | A unique name generated by the system for each definition. It’s the concatenation of names in the definition hierarchy. |
id |
String | N/A | Read only | The resource's unique identifier. |
name |
String | N/A | N/A | Arbitrary name for the definition. |
numberOfChildren |
String | N/A | N/A | Number of children of the definition. |
parentId |
String | N/A | N/A | ID of the parent definition. |
permissions |
Object | N/A | N/A | Permissions of the definition. |
properties |
N/A | N/A | N/A | Properties of the definition. |
type |
Object | Required | Mutable | Type of the definition. See DefinitionType (ENUM) for all value options. |
version |
String | Required | Read only | A unique ID generated by the system for concurrency control purposes. |
Authorization test case (definition) data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
testCase |
Object | N/A | N/A | The field that was changed. |
Authorization test scenario (definition) data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
testScenario |
Object | N/A | N/A | The field that was changed. |
Authorization assertion (definition) data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
assertion |
Object | N/A | N/A | The field that was changed. |
Authorization attribute (definition) data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
cacheConfig |
Object | N/A | N/A | Whether to use caching and if so, a configuration of how to cache. |
defaultValue |
String | N/A | N/A | The default value of the attribute if no resolvers are applied. |
isSecret |
Boolean | N/A | N/A | If true, don’t display the value in decision tree logs. |
querySettings |
Object | N/A | N/A | Allows the user to specify an attribute to resolve its value from, so the user can call the decision engine and refer to the attribute without having to specify its value. |
repetitionSource |
String | N/A | N/A | The ID of the attribute with ValueType “Collection” to get the values from and (maybe process and) output each value. Set resolver to “Current Repetition Value” to use each value from the collection. |
resolvers |
Object | N/A | N/A | The resolvers dictate where the attribute gets its initial value from, which may then be processed by processors. The first resolver to satisfy its condition from top to bottom is the one that is used to derive the value. |
valueProcessor |
Object | N/A | N/A | The processor takes the current value of the attribute and transforms it to another value and/or type. |
valueType |
Object | N/A | N/A | The resulting type of the value of the attribute. See ValueType (ENUM) for all value options. |
Authorization effective permissions data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
definedOn |
Object | N/A | N/A | The type and ID of the entity which the permission is defined for. |
effectivePermissions |
Object | N/A | N/A | A collection of permissions that the effective permission has. |
inherited |
Boolean | N/A | N/A | Whether the permission is inherited or not. |
Authorization condition (definition) data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
condition |
Object | N/A | N/A | The condition that defines the condition definition. |
Authorization identity class (definition) data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
identityProperties |
List | N/A | N/A | List of IDs of identity properties. |
Authorization identity provider (definition) data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
identityProperties |
List | N/A | N/A | List of IDs of identity properties. |
Authorization service (definition) data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
cacheSettings |
Object | N/A | N/A | Cache settings for the service. |
isSecret |
Boolean | N/A | N/A | If true, don’t display the value in decision tree logs. |
serviceSettings |
Object | N/A | N/A | Allows the user to specify an attribute to resolve its value from, so the user can call the decision engine and refer to the attribute without having to specify its value. |
serviceType |
Object | N/A | N/A | Describes the type of service. See See ServiceType (ENUM) for all value options. |
resolvers |
Object | N/A | N/A | The resolvers dictate where the attribute gets its initial value from, which may then be processed by processors. The first resolver to satisfy its condition from top to bottom is the one that is used to derive the value. |
valueProcessor |
Object | N/A | N/A | The processor takes the current value of the attribute and transforms it to another value and/or type. |
valueType |
Object | N/A | N/A | The resulting type of the value of the attribute. See ValueType (ENUM) for all value options. |
Authorization value processor (definition) data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
valueProcessor |
Object | N/A | N/A | The processor that makes up the processor definition. |
Authorization entity path segment data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
id |
String | N/A | N/A | The unique ID of the entity. |
shared |
Boolean | N/A | N/A | The type of the entity. |
type |
String | N/A | N/A | Whether the entity is shared or not. |
DefinitionType (ENUM)
Values |
---|
ACTION |
ASSERTION |
ATTRIBUTE |
CONDITION |
DOMAIN |
IDENTITY_CLASS |
IDENTITY_PROPERTY |
IDENTITY_PROVIDER |
NONE |
SERVICE |
TEST_CASE |
TEST_SCENARIO |
VALUE_PROCESSOR |
ServiceType (ENUM)
Values |
---|
CAMEL |
DATABASE |
LDAP |
NONE |
RESTFUL |
ValueType (ENUM)
Values |
---|
BOOLEAN |
COLLECTION |
DATE_TIME |
DURATION |
JSON |
LOCAL_DATE |
LOCAL_DATE_TIME |
LOCAL_TIME |
NUMBER |
PERIOD |
STRING |
TIME_PERIOD |
XML |
ZONED_DATE_TIME |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Trust Framework Testing
Trust Framework testing in PingAuthorize enables you to validate the type conversion of policy information points (PIP) included in decision requests and the logical behavior of conditions.
The PingAuthorize Trust Framework test endpoint allows you to test attribute, condition, and service definitions.
Authorization entity testing data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
attributeValueOverrides |
Map<String, String> | N/A | N/A | A map of attribute value overrides, where the key is the attribute name and the value is the overridden value. |
decisionRequest |
Object | N/A | N/A | The decision request object containing the details of the decision to be made. |
serviceValueOverrides |
Map<String, String> | N/A | N/A | A map of service value overrides, where the key is the service name and the value is the overridden value. |
Authorization decision status data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
code |
Object | N/A | N/A | An enumeration of the possible decision evaluation statuses. Can be null. Values: OKAY , GUARD FAILED , INTERNAL GUARD FAILED , MISSING_ATTRIBUTE , TYPE_CONVERSION_ERROR , PROCESSING_ERROR , TIMEOUT . |
messages |
Object | N/A | N/A | Any status messages describing the status code. Can be null. |
errors |
Object | N/A | N/A | Any decision errors produced during an evaluation. Can be null. |
Authorization decision error data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
code |
Object | N/A | N/A | An enumeration of the possible decision evaluation statuses. Can be null. Values: OKAY , GUARD FAILED , INTERNAL GUARD FAILED , MISSING_ATTRIBUTE , TYPE_CONVERSION_ERROR , PROCESSING_ERROR , TIMEOUT . |
messages |
String | N/A | N/A | A description of the error. Can be null. |
Create Trust Framework Test Attribute Definition
Create Trust Framework Test Condition Definition
Create Trust Framework Test Service Definition
Read Trust Framework Definition (ID)
Read Trust Framework Definition Children (ID)
Read Trust Framework Definition Children (Type and Full Name)
Read Trust Framework Definition Dependencies
Read Trust Framework Definition Effective Permissions (ID)
Read Trust Framework Definition Version History (ID)
Read Trust Framework Definition Path (ID)
Read All Trust Framework Root Definition (Type)
Read Trust Framework Definition Test Cases (ID)
Read Trust Framework Definition (Type and Full Name)
Read All Trust Framework Definitions (Type)
Read Trust Framework Definition (Parent Type and Full Name)
Create Trust Framework Root Definition (Type)
Create Trust Framework Definition (Parent ID)
Create Trust Framework Definition (Parent Type and Full Name)
Update Trust Framework Definition (Parent Type and Full Name)
Update Trust Framework Definition (ID)
Delete Trust Framework Definition (ID)
Delete Trust Framework Definition (Parent Type and Full Name)
Policy Manager
The Policy Manager APIs provide a powerful way to implement attribute-based access control and dynamic authorization for your organization's services and data. These APIs allow you to define and enforce policies that determine whether a given resource request should be permitted or denied, enabling fine-grained, context-aware access control.
Use the following components in policies and rules to capture authorization logic:
-
Conditions: Define authorization logic by comparing one thing to another.
-
Targets: Use comparisons to help the decision service determine which policies or rules are relevant to a particular request.
-
Statements: Instruct the decision service to perform additional processing in conjunction with an authorization decision. In addition to allowing or blocking access to a resource, using statements, the decision service can attach information to decision responses and filter and transform API payloads.
-
Combining algorithms: To evaluate the overall decision of a policy, the decision service applies a combining algorithm. The algorithm determines how rules are combined to produce an authorization decision.
Policies
Authorization policies specify the statements (directives that instruct the policy decision service to perform additional processing in conjunction with an authorization decision), conditions (authorization logic comparing one thing to another), and combining algorithms (the process for combining multiple rules) to determine an authorization decision.
This enables you to build policies that answer the question "Should this resource-access request be permitted or denied?. The PingAuthorize policies endpoint allows you to create, read, update, and delete policies.
Authorization policy data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
children |
Array | Optional | Mutable | The list of child policies or rules. Can be either referenced or embedded. |
combiningAlgorithm |
Object | Required | Immutable | The algorithm that determines how rules are combined to produce an authorization decision. For details, see Authorization Rules. |
condition |
Object | Optional | Mutable | The authorization condition object. For details, see Authorization Conditions. |
description |
String | Optional | Mutable | The authorization policy resource's description. |
disabled |
Boolean | Optional | Mutable | Whether the Policy is disabled or not. |
id |
String | N/A | Read only | The policy resource's unique identifier. |
name |
String | Required | Mutable | A user-friendly policy name. The name value must be unique. |
repetitionSettings |
Object | Optional | Mutable | Applies the policy to each item of the specific attribute, filtered by decision. |
shared |
Boolean | N/A | N/A | Whether the Policy is shared or not. |
statements |
Object | Optional | Mutable | A collection of Statement IDs, see Authorization Statements. |
targets |
String | N/A | N/A | A collection of Target IDs. |
type |
String | Required | Mutable | The attribute type. Value is always POLICY . |
version |
String | Required | Read only | The unique version ID of the Policy. |
Authorization policy representation data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
children |
Array | Optional | Mutable | The list of child policies or rules. Can be either referenced or embedded. |
combiningAlgorithm |
Object | Required | Immutable | The algorithm that determines how rules are combined to produce an authorization decision. For details, see Authorization Rules. |
condition |
Object | Optional | Mutable | The authorization condition object. For details, see Authorization Conditions. |
description |
String | Optional | Mutable | The authorization policy resource's description. |
disabled |
Boolean | Optional | Mutable | Whether the Policy is disabled or not. |
id |
String | N/A | Read only | The policy resource's unique identifier. |
name |
String | Required | Mutable | A user-friendly policy name. The name value must be unique. |
repetitionSettings |
Object | Optional | Mutable | Applies the policy to each item of the specific attribute, filtered by decision. |
shared |
Boolean | N/A | N/A | Whether the Policy is shared or not. |
statements |
Object | Optional | Mutable | A collection of Statement IDs, see Authorization Statements. |
targets |
String | N/A | N/A | A collection of Target IDs. |
version |
String | Required | Read only | The unique version ID of the Policy. |
Policy node representation
Either a PolicyRepresentation, PolicySetRepresentation, or PolicyNodeReference.
Authorization policy node reference data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
id |
String | N/A | Read only | The policy resource's unique identifier. |
type |
String | Required | Mutable | The attribute type. Value is always POLICY . |
Authorization repetition settings data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
decision |
Object | N/A | N/A | Decision used as a filter. |
source |
String | N/A | N/A | ID of the repetition source being referenced. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Read All Policies
Read One Policy (ID)
Read Policy Effective Permissions (ID)
Read Policy Version History (ID)
Read All Parent PolicySets of Policy (ID)
Read Policy with Dependencies (ID)
Read Policy Path (ID)
Read All Root Policies
Read All Entities that Reference Policy
Create Policy
Update Policy (ID)
Update Parent PolicySets of Policy (ID)
Delete Policy (ID)
Policy Sets
A policy set in PingAuthorize is a container for one or more policies. These endpoints provide the ability to create, read, update, and delete policy sets in the PingAuthorize policy manager.
Authorization policy set data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
children |
Array | Optional | Mutable | References of the child policies and policy sets. |
combiningAlgorithm |
Object | Required | Immutable | Governs how the children are combined to produce an outcome for the policy set |
condition |
Object | Optional | Mutable | An object representing the targeting condition within the policy set. |
description |
String | Optional | Mutable | The authorization policy set resource's description. |
disabled |
Boolean | Optional | Mutable | Whether the policy set is disabled or not. |
id |
String | N/A | Read only | The policy set resource's unique identifier. |
name |
String | Required | Mutable | The name of the policy set. |
shared |
Boolean | N/A | N/A | Whether the policy set is shared or not. |
statements |
String | Optional | Mutable | A collection of statement IDs. |
targets |
String | N/A | N/A | A collection of Target IDs. |
type |
String | Required | Mutable | The attribute type. Value is always PolicySet . |
version |
String | Required | Read only | The unique version ID of the policy set. |
Authorization policy set representation data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
children |
Array | Optional | Mutable | Child policies and policy sets, either in the form of a new in-line policy / policy set (PolicyRepresentation / policy setRepresentation), or a reference to a library policy / policy set (PolicyNodeReference). |
combiningAlgorithm |
Object | Required | Immutable | Governs how the children are combined to produce an outcome for the policy set. |
condition |
Object | Optional | Mutable | An object representing the targeting condition within the policy set. |
description |
String | Optional | Mutable | The authorization policy set resource's description. |
disabled |
Boolean | Optional | Mutable | Whether the policy set is disabled or not |
id |
String | N/A | Read only | The policy set resource's unique identifier. |
name |
String | Required | Mutable | The name of the policy set. |
shared |
Boolean | N/A | N/A | Whether the policy set is shared or not. |
statements |
Object | Optional | Mutable | A collection of Statement IDs. |
targets |
String | N/A | N/A | A collection of Target IDs. |
version |
String | Required | Read only | The unique version ID of the policy set. |
Policy node representation
Either a PolicyRepresentation, PolicySetRepresentation, or PolicyNodeReference.
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Read All PolicySets
Read All Root PolicySets
Read All PolicySet Reference Entities (ID)
Read One PolicySet
Read PolicySet Path (ID)
Read PolicySet with Dependencies
Read Parent PolicySets of PolicySet
Read PolicySet Version History
Read PolicySet Effective Permissions
Create PolicySet
Update PolicySet
Update Parent PolicySet (ID)
Delete PolicySet
Rules
Policy rules power the fine-grained access control capability of PingAuthorize. Rules contain logical conditions that evaluate to true or false. Policies can include one or more rules to produce a fine-grained authorization decision of Permit, Deny, Indeterminate, or Not Applicable.
To evaluate the overall decision of a policy, the policy decision point (PDP) applies a combining algorithm. The default algorithm that is set on a new policy is The first applicable will be the final decision. This algorithm stops evaluating as soon as it reaches a decision that is not Not Applicable.
Authorization rules data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
condition |
Object | Optional | Mutable | An object representing the conditions within the Rule. |
description |
String | Optional | Mutable | The authorization rule resource's description. |
disabled |
Boolean | Optional | Mutable | Whether the Rule is disabled or not. |
effectSettings |
Object | Required | Immutable | Determines whether the rule results in a permit or deny. |
id |
UUID | Required | Read only | The resource's unique identifier. |
name |
String | Required | Mutable | The name of the rule. |
statements |
Object | Optional | Mutable | A collection of Statement IDs. |
targets |
String | N/A | N/A | A collection of Target IDs. |
type |
String | Required | Immutable | The entity type. Value is always RULE . |
version |
UUID | Required | Read only | The unique version ID of the Rule. |
Rule node representation
Either a RuleRepresentation or a RuleReference.
Authorization rule representation data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
condition |
Object | Optional | Mutable | An object representing the conditions within the Rule. For details, see Authorization Conditions. |
description |
String | Optional | Mutable | The authorization rule resource's description. |
disabled |
Boolean | Optional | Mutable | Whether the Rule is disabled or not. |
effectSettings |
Object | Required | Immutable | Determines whether the rule results in a permit or deny. |
id |
UUID | Required | Read only | The resource's unique identifier. |
name |
String | Required | Mutable | The name of the rule. |
statements |
Object | Optional | Mutable | A collection of Statement IDs. For details, see Authorization Statements. |
targets |
String | N/A | N/A | A collection of Target IDs. |
version |
UUID | Required | Read only | The unique version ID of the Rule. |
Authorization rule reference data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
id |
UUID | Required | Read only | The resource's unique identifier. |
type |
String | Required | Immutable | The entity type. Value is always RULE . |
ConditionalPermitElseDeny
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
condition |
String | Required | Read only | The condition that determines whether the result is permit or deny. |
ConditionalDenyElsePermit
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
condition |
String | Required | Read only | The condition that determines whether the result is permit or deny. |
EffectSettings
Property | Subtypes |
---|---|
{type} |
The type of effect settings, either: “unconditionalPermit”,”unconditionalDeny”,”conditionalPermitElseDeny”,”conditionalDenyElsePermit” |
CombingAlgorithm
Subtypes |
---|
DenyOverrides |
DenyUnlessPermit |
DenyUnlessThreshold |
FirstApplicable |
OnlyOneApplicable |
PermitOverrides |
PermitUnlessDeny |
Decision (ENUM)
Values |
---|
DENY |
INDETERMINATE |
NOT_APPLICABLE |
PERMIT |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
Read All Rules
Read All Parent Policies of Rule (ID)
Read One Rule (ID)
Read Rule Path (ID)
Read Rule with Dependencies (ID)
Read Rule Effective Permissions (ID)
Read All Entities that Reference the Rule (ID)
Read Rule Version History (ID)
Read Root Rules
Create Rule
Update Rule
Update Parent Policies of Rule (ID)
Delete Rule
Statements
A statement is a directive that instructs the policy enforcement point (PEP) to perform additional actions alongside an authorization decision.
By adding statements to the Library, you can easily add them to your policies. Without statements, policies simply return a permit or deny decision. With statements, you can include additional information in decisions, such as adding response headers on a permit decision or including a message with a deny decision. Statements only apply when a rule or policy returns a permit or deny decision. They are not included in decisions that are indeterminate or not applicable.
The Policy Editor comes with the following pre-configured statements:
-
Add Filter: Use the
add-filter
code to add administrator-required filters to System for Cross-domain Identity Management (SCIM) search queries. -
Combine SCIM Search Authorizations: Use the
combine-scim-search-authorizations
code to optimize policy processing for SCIM search responses. -
Denied Reason: Use the
denied-reason
code to allow a policy writer to provide an error message that contains the reason for denying a request. -
Exclude Attributes: Use the
exclude-attributes
code to specify the attributes to exclude from a JSON response. -
Filter Response: Use the
filter-response
code to direct PingAuthorize Server to invoke policy iteratively over each item of a JSON array contained within an API response. -
Include Attributes: Use the
include-attributes
code to limit the attributes that a JSON response can return. -
Modify Attributes: Use the
modify-attributes
code to modify the values of attributes in the JSON request or response. -
Modify Headers: Use the
modify-headers
code to modify the values of request headers before PingAuthorize sends them to the upstream server or to modify the values of response headers before PingAuthorize returns them to the client. -
Modify Query: Use the
modify-query
to modify the query string of the request sent to the API server. -
Modify SCIM Patch: Use the
modify-scim-patch
code to add operations to a SCIM patch in a modify request before it is submitted to the store adapter. -
Regex Replace Attributes: Use the
regex-replace-attributes
to specify a regex to search for attributes in a request or response body and replace their values with a regex replacement string.
For more information about statement codes and payloads, see Statements in the PingAuthorize Policy Administration Guide.
The statements endpoint provides operations for creating, reading, updating, and deleting policy statements. Each operation requires either a branch ID or a statement ID in the request URL.
Statements data model
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
id |
String | N/A | Read-only | Specifies the ID of the statement. |
version |
String | N/A | Read-only | Specifies the version ID of the statement. |
type |
String | Optional | Mutable | Specifies the resource type. Always set to statement . |
name |
String | Required | Mutable | Specifies the name of the statement. |
description |
String | Optional | Mutable | Provides a description of the statement. |
shared |
Boolean | Optional | Mutable | A boolean that specifies whether or not the statement is shared between policy entities. |
code |
String | Required | Mutable | Specifies a unique statement type identifier. |
appliesTo |
String | Optional | Mutable | Specifies the type of decisions the statement is attached to. Allowable values are ANYTHING , PERMIT , DENY , PERMIT_OR_DENY , or INDETERMINATE . Defaults to ANYTHING . |
appliesIf |
String | Optional | Mutable | Specifies the condition under which the statement is returned in the decision response. Allowable values are ANYTHING , FINAL_DECISION_MATCHES , and PATH_MATCHES . Defaults to PATH_MATCHES . |
payload |
String | Optional | Mutable | Specifies the set of parameters governing the actions performed when PingAuthorize applies the statement. The appropriate payload value depends on the statement type. |
obligatory |
Boolean | Optional | Mutable | A boolean that determines whether the final decision applies only if the statement can be fulfilled. |
attributes |
String[] | Optional | Mutable | Specifies the IDs of attributes to include in the statement payload. |
services |
String[] | Optional | Mutable | Specifies the IDs of services to include in the statement payload. |
effectivePermissions |
JSON[] | N/A | Read-only | Specifies a list of permissions assigned to the statement. Each permission object contains the following fields: * permission : The operation for which permission is enabled. For example, READ .* role : The role to which the permission is assigned. |
definedOn |
String | N/A | Read-only | Specifies the unique ID of the statement to which permissions are assigned. |
inherited |
Boolean | N/A | Read-only | Specifies whether or not permissions are inherited from a parent entity. |
pageHeader.entityId |
UUID | N/A | Read-only | Specifies the unique ID of the statement for which a version history is being retrieved. |
pageHeader.entityType |
String | N/A | Read-only | Specifies the type of entity for which a version history is being retrieved. |
version |
UUID | N/A | Read-only | Specifies the unique ID of a statement version. |
deltaId |
UUID | N/A | Read-only | Specifies the unique ID of a snapshot delta. |
snapshotId |
UUID | N/A | Read-only | Specifies the unique ID of a snapshot. |
timestamp |
String | N/A | Read-only | Specifies the date and time at which a delta was generated. |
user |
String | N/A | Read-only | Specifies the user who was signed when the delta was generated. |
Result filtering data model
Filtering parameter | Description |
---|---|
page |
Specifies the page number of results to return. |
page-size |
Specifies the number of results to return per page. |
onlyShared |
Set to true to only list the statements shared between policy entities. Set to false to list all statements defined in the system. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
201 | Successful operation. |
400 | A branch, snapshot or JSON value has not been specified correctly, or is missing. |
404 | The statement with the given ID was not found. |
409 | The statement ID in the URL does not match the statement ID in the request body. |
409 | The statement is referred to somewhere else and cannot be deleted until those references are removed. |
Create Statement
Read All Statements
Read One Statement
Read Statement Dependencies
Read Statement Effective Permissions
Read Statement Version History
Read Statement Path
Read Statement References
Update Statement
Delete Statement
Targets
Targets define the conditions that determine when policies and rules apply to decision requests.
Targets enable the decision service to evaluate whether a policy or rule is relevant to a specific request. If a target's condition is true, the rule or policy will be evaluated. Otherwise, the rule or policy is not applicable to the decision request. The library makes targeting logic available for easy reuse across policies and rules.
The targets endpoint provides operations for creating, reading, updating, and deleting policy targets. Each operation requires either a branch ID or a statement ID in the request URL.
Targets data model
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
id |
String | N/A | Read-only | Specifies the ID of the target. |
version |
String | N/A | Read-only | Specifies the version ID of the target to update. |
type |
String | Optional | Mutable | Specifies the resource type. Always set to target . |
name |
String | Required | Mutable | Specifies the name of the target. |
description |
String | Optional | Mutable | Provides a description of the target. |
shared |
Boolean | Optional | Mutable | A boolean that determines whether the target is shared between policy entities or not. |
disabled |
Boolean | Optional | Mutable | A boolean that determines whether the target is disabled or not. |
targeted |
Object{} | Optional | Mutable | Specifies a list of object collections mapping definition types to entity IDs. For example, {"actions": ["b072d76e-0085-4423-99c2-4e16b74e88fa"]} . The allowed definition types are actions , services , domains , and identityClasses . |
effectivePermissions |
JSON[] | N/A | Read-only | Specifies a list of permissions assigned to the statement. Each permission object contains the following fields: * permission : The operation for which permission is enabled. For example, READ .* role : The role to which the permission is assigned. |
definedOn |
String | N/A | Read-only | Specifies the unique ID of the target to which permissions are assigned. |
inherited |
Boolean | N/A | Read-only | Specifies whether or not permissions are inherited from a parent entity. |
pageHeader.entityId |
UUID | N/A | Read-only | Specifies the unique ID of the target for which a version history is being retrieved. |
pageHeader.entityType |
String | N/A | Read-only | Specifies the type of entity for which a version history is being retrieved. |
version |
UUID | N/A | Read-only | Specifies the unique ID of a target version. |
deltaId |
UUID | N/A | Read-only | Specifies the unique ID of a snapshot delta. |
snapshotId |
UUID | N/A | Read-only | Specifies the unique ID of a snapshot. |
timestamp |
String | N/A | Read-only | Specifies the date and time at which a delta was generated. |
user |
String | N/A | Read-only | Specifies the user who was signed in when the delta was generated. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
400 | A valid branch or snapshot has not been specified. |
400 | The target ID is not formatted correctly. |
404 | The target with the provided ID was not found. |
409 | The ID in the URL and the ID in the request body do not match. |
409 | The target with the given ID is referred to elsewhere in the system and cannot be deleted until all such references are removed. |
Create Target
Read All Targets
Read One Target
Read Target Dependencies
Read Target Effective Permissions
Read Target Version History
Read Target Path
Read Target References
Update Target
Delete Target
Test Cases
Read All Test Cases (PolicySet/Policy/Rule)
Decision Node Testing
Create Test Evaluation of Decision Node (ID)
Test Suite
Use the test suite to define test cases, test scenarios, and assertions to validate the behavior of Trust Framework and policy entities.
Building a library of test cases supports a test-driven approach to policy and Trust Framework development. This library can serve as a suite of regression checks, ensuring consistent behavior with each new version of your policies or Trust Framework.
Test scenarios include the subject, resources, actions, and attributes relevant to a decision, as well as optional overrides for attribute and service values. Test cases build on test scenarios by:
- specifying which policy, rule, or Trust Framework definition to test, and
- adding optional assertions to validate the decision result.
After you define a test scenario, you can reference that scenario by ID in your test cases.
For more information about each test suite entity type, see Test Suite in the PingAuthorize Policy Administration Guide.
The test suite endpoint provides operations for creating, reading, updating, and deleting test suite entities. Each operation requires either a branch ID or a statement ID in the request URL.
Test suite data model
Test case data model
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
id |
UUID | N/A | Read-only | Specifies the ID of the test case. |
version |
UUID | N/A | Read-only | Specifies the version ID of the test scenario. |
name |
String | Required | Mutable | Specifies the unique name of the test case. |
description |
String | Optional | Mutable | Provides a description for the test case. |
parentId |
UUID | Optional | Mutable | Specifies the ID of the test case parent. |
objectType |
String | N/A | Mutable | Specifies the type of the entity being created or updated. Always set to TestCaseDefinition . |
permissions.rolePermissions |
JSON[] | Optional | Mutable | Provides a collection of permissions as permission:role key-value pairs. For example, [{"WRITE": "Role 1"}] . |
permissions.inherit |
Boolean | Optional | Mutable | Specifies whether the test case inherits permissions from its parent or not. |
testCase.testedEntities |
Test entity[] | Optional | Mutable | Provides a collection of entities to include in the test case. |
testCase.testedEntities.assertions |
Assertion[] | Optional | Mutable | Specifies an assertion object to include with the test case. |
testCase.testScenarioDefinitionId |
String | Optional | Mutable | Specifies the ID of a test scenario to reference in the test case. |
testCase.testScenario.request.domainId |
String | Optional | Mutable | Specifies the ID of a domain to include in the test request. |
testCase.testScenario.request.serviceId |
String | Optional | Mutable | Specifies the ID of a service to include in the test request. |
testCase.testScenario.request.identityProviderId |
String | Optional | Mutable | Specifies the ID of an identity provider to include in the test request. |
testCase.testScenario.request.actionId |
String | Optional | Mutable | Specifies the ID of an action to include in the test request. |
testCase.testScenario.attributeOverrides |
JSON | Optional | Mutable | Specifies how to override attribute values with a list of key-value pairs. For example, {"3577dd53-a71a-4ce8-ab40-c9c083c7c5b9": "override-value"}. |
testCase.testScenario.serviceOverrides |
JSON | Optional | Mutable | Specifies how to override service values with a list of key-value pairs. For example, {"3553dd53-a71a-4ce8-fb40-c9c083c7c5g9": "override-value"}. |
Test scenario data model
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
id |
UUID | N/A | Read-only | Specifies the ID of the test scenario. |
version |
UUID | N/A | Read-only | Specifies the version ID of the test scenario. |
name |
String | Required | Mutable | Specifies the unique name of the test scenario. |
description |
String | Optional | Mutable | Provides a description for the test scenario. |
parentId |
UUID | Optional | Mutable | Specifies the ID of the test scenario parent. |
objectType |
String | N/A | Mutable | Specifies the type of the entity being created or updated. Always set to TestScenarioDefinition . |
permissions.rolePermissions |
JSON[] | Optional | Mutable | Provides a collection of permissions as permission:role key-value pairs. For example, [{"WRITE": "Role 1"}] . |
permissions.inherit |
Boolean | Optional | Mutable | Specifies whether the test scenario inherits permissions from its parent or not. |
testScenario.request.domainId |
String | Optional | Mutable | Specifies the ID of a domain to include in the test request. |
testScenario.request.serviceId |
String | Optional | Mutable | Specifies the ID of the service to include in the test request. |
testScenario.request.identityProviderId |
String | Optional | Mutable | Specifies the ID of the identity provider to include in the test request. |
testScenario.request.actionId |
String | Optional | Mutable | Specifies the ID of the action to include in the test request. |
testScenario.attributeOverrides |
JSON | Optional | Mutable | Specifies how to override attribute values with a list of key-value pairs. For example, {"3577dd53-a71a-4ce8-ab40-c9c083c7c5b9": "override-value"}. |
testScenario.serviceOverrides |
JSON | Optional | Mutable | Specifies how to override service values with a list of key-value pairs. For example, {"3553dd53-a71a-4ce8-fb40-c9c083c7c5g9": "override-value"}. |
Test entity data model
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
entityId |
UUID | N/A | Read-only | Specifies the unique ID of the entity to include in the test case. |
entityType |
String | Required | Immutable | Specifies the type of the entity to include in the test case. For example, String . |
assertions |
Assertion[] | Optional | Mutable | Provides a collection of assertions to include in the test case. |
Assertion data model
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
id |
UUID | N/A | Read-only | Specifies the ID of the assertion. |
version |
UUID | N/A | Read-only | Specifies the version ID of the assertion. |
parentId |
UUID | Optional | Mutable | Specifies the ID of a parent for the assertion. |
name |
String | Required | Mutable | Specifies the unique name of the assertion. |
description |
String | Optional | Mutable | Provides a description for the assertion. |
objectType |
String | N/A | Mutable | Specifies the type of the entity being created or updated. Always set to AssertionDefinition . |
permissions.inherit |
Boolean | Optional | Mutable | Determines whether the assertion inherits permissions from its parent. |
permissions.rolePermissions |
JSON[] | Optional | Mutable | Provides a collection of permissions as permission:role key-value pairs. For example, [{"WRITE": "Role 1"}] . |
assertion.type |
String | Required | Mutable | Specifies the assertion type. For example, json-path . To use an already-defined assertion in a test case, set the type to referenced . |
assertion.accessor |
String | Required | Mutable | Specifies a JSONPath accessor to extract information from the response. |
assertion.comparator |
String | Optional | Mutable | Specifies a comparison to perform between the extracted value and the expected value. Defaults to EQUALS . For detailed information about comparators, refer to Conditions in the PingAuthorize Policy Administration Guide. |
assertion.expectation.valueType |
String | Required | Mutable | Specifies the type of the expected value. For example, String . |
assertion.expectation.value |
String | Required | Mutable | Specifies the expected value. |
Create Root Test Suite Entity
Create Child Test Suite Entity
Create Test Suite Entity by Type and Full Name
Read Test Suite Entity Path
Read Test Suite Entity Children
Read Test Suite Entity Children by Type and Full Name
Read Test Suite Entity Dependencies
Read Test Suite Entity Effective Permissions
Read Test Suite Entity Version History
Read One Test Suite Entity
Read Test Suite Entity by Type and Full Name
Read All Test Suite Entities by Type
Read All Root Test Suite Entities by Type
Update Test Suite Entity
Update Test Suite Entity by Type and Full Name
Delete Test Suite Entity
Delete Test Suite Entity by Type and Full Name
Test Runner
Using the test runner, you can validate policy and Trust Framework configurations through automated testing.
A test run executes one or more test cases, or an entire test suite, and returns the results.
Test runner data model
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
description |
String | Optional | Immutable | A string that provides a description for the test run. |
testCaseIds |
String[] | Required | Immutable | A collection that includes a list of test case IDs to be added to the test run. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
400 | A valid branch or snapshot has not been specified. |
Create Test Run
Read All Test Run Reports
Read One Test Run Report
Read Full Test Result
Read All Test Result Summaries
Read Summaries of Recently Executed Test Results
End Test Run
Snapshot Service
Snapshots provide a comprehensive, point-in-time representation of the system's configuration and policy state. Stored as a .snapshot
file, they allow you to capture and preserve the state of your authorization environment, enabling straightforward replication of policy and Trust Framework configuration across environments. Snapshots support version control and change management by allowing teams to safely experiment with policy updates or system changes, and quickly revert to a previous state if necessary.
Each snapshot is associated with a specific commit. For more information on managing snapshots in the Policy Editor, see Snapshot Manager.
Snapshot service data model
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
id |
UUID | N/A | Read-only | Specifies the unique ID of the newly created branch. |
name |
String | Required | Mutable | Specifies the name of the newly created branch. |
head |
UUID | N/A | Read-only | Specifies the unique ID of the snapshot at the head of the newly created branch. |
parentId |
UUID | N/A | Read-only | Specifies the unique ID of the parent of the newly created branch, if such a parent exists. |
tip.id |
UUID | N/A | Read-only | Specifies the unique ID of the snapshot at the tip of the newly created branch. |
tip.parentId |
UUID | N/A | Read-only | Specifies the unique ID of the parent of the snapshot at the tip of the newly created branch, if such a parent exists. |
tip.state |
String | N/A | Read-only | Specifies the state of the imported snapshot. The state is either COMMITTED or UNCOMMITTED . |
tip.commitDetails |
JSON | N/A | Read-only | Provides details of the commit associated with the imported snapshot. |
tip.approvals |
String[] | N/A | Read-only | Provides a list of approval user IDs associated with the imported snapshot. |
tip.branchId |
UUID | N/A | Read-only | Specifies the unique ID of the imported snapshot's original branch. |
<objectType> |
JSON[] | Required | Immutable | Provides an array of the JSON objects contained in an exported snapshot. |
<objectType> |
Snapshot Entity[] | Optional | Immutable | Provides an array of entities to include in a partial snapshot. |
Snapshot entity reference data model
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
id |
UUID | Required | Immutable | Specifies the unique ID of the entity to include in a partial snapshot. |
type |
String | Required | Immutable | Specifies the type of entity to include in a partial snapshot. See Entity types for a list of allowable values. |
includeChildren |
Boolean | Required | Immutable | A boolean that determines wether to include children of an entity being included in a partial snapshot. |
Conflict data model
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
id |
UUID | N/A | Read-only | Specifies the unique ID of the entity creating a conflict. |
type |
String | N/A | Read-only | Specifies the type of entity creating a conflict. See Entity types for a list of possible values. |
name |
String | N/A | Read-only | The name of the entity creating the conflict. |
conflict |
String[] | N/A | Read-only | Provides a list of types of conflict that occurred in the merge process. The two types of conflict are COLLISION and DUPLICATE_FULL_NAME . |
Conflict resolution data model
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
id |
UUID | Required | Immutable | Specifies the unique ID of the conflict resolution. |
type |
String | Required | Immutable | Specifies the type of entity to resolve a conflict for. See Entity types for a list of allowable values. |
resolution |
String | Required | Immutable | Specifies how to resolve the merge conflict by either retaining the incoming changes (TAKE_SNAPSHOT ) or the existing version (TAKE_MINE ). |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
400 | A valid JSON value has not been specified correctly or the body provided is not a snapshot. |
400 | An invalid UUID format has been specified. |
404 | There is no snapshot in the system with the provided ID. |
409 | Branch name already exists. |
409 | Conflicts found. |
Export Snapshot
Import Snapshot
Merge Snapshot into Branch
Version Control
Branch Manager
The branch manager provides operations to create snapshots, as well as read, update, and merge policy branches.
Policy branches enable you to manage different sets of Trust Framework definitions and policies by storing these sets in separate branches. This is helpful in development environments, where you might need to quickly reconfigure PingAuthorize between policy branches.
To easily switch between policy branches and test configurations, define Policy External Servers for each branch and update the Policy Decision Service's policy-server
property. Learn more in Changing the active policy branch.
Branch manager data model
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
name |
String | Required | Mutable | Specifies the name of the policy branch. |
message |
String | Required | Immutable | Provides the commit message for creation of a new snapshot. |
fromBranchId |
String | Required | Immutable | Specifies the branch to merge changes from. |
resolutions |
Resolution[] | Optional | Mutable | A collection that includes resolution objects for resolving merge conflicts. |
Resolution data model
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
resolutionType |
String | Required | Immutable | Specifies the action to resolve the conflict. |
entityReference |
Entity reference[] | Required | Immutable | Provides a collection of entities causing the conflict. |
Entity reference
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
id |
String | N/A | Read-only | Specifies the ID of the entity. |
type |
String | N/A | Read-only | Specifies the entity type. |
Response codes
Code | Message |
---|---|
201 | Changes from the source branch were successfully merged into the destination branch. |
204 | Successful operation. |
404 | There is no branch in the system with the given ID. |
409 | The merge failed due to conflicting changes in the source and destination branches. |
Rename Branch
Merge Branches
Create Snapshot
Read All Branches
Read One Branch
Read Uncommitted Changes
Delete Branch and Children
Delete Recent Uncommitted Changes
Snapshot Manager
A snapshot is a set of committed Trust Framework and policy changes made on a branch. You can import and export snapshots to create policy backups and transfer policy configuration between Policy Editor instances.
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
name |
String | Required | Mutable | A string that defines a name for the newly created policy branch. |
Code | Description |
---|---|
200 | Successful operation. |
400 | The UUID provided is not in the correct format. |
400 | Branch limit exceeded. Please delete a branch before trying to create any more. |
404 | There is no branch in the system with the given ID. |
404 | There is no snapshot in the system with the given ID. |
409 | The branch name already exists. |
Approve Snapshot
Remove Approval of Snapshot
Create Child Branch From Snapshot
Read All Snapshots
Read One Snapshot
Read Difference Between Snapshots
Read Deltas of One Snapshot
Read Snapshot Root
Read Version Control Entry Point
Deployment Package
A deployment package in PingAuthorize is a compiled version of the policy tree. The deployment packages includes all trust framework entities consumed by the policy tree and is the key element that is deployed to PingAuthorize Server.
This service provides the ability to read, create, update, and delete deployment packages.
Authorization deployment package data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
approvals |
Object | N/A | N/A | The approvals for the deployment package. |
createdBy |
String | N/A | N/A | The identifier of the user who created the deployment package. |
dateCreated |
String | N/A | N/A | The date and time of when the deployment package was created. |
decisionNodeId |
String | N/A | N/A | The identifier of the root decision node this deployment package is evaluating from. |
decisionNodeName |
String | N/A | N/A | The name of the root decision node. |
id |
String | N/A | N/A | The unique identifier for the deployment package. |
name |
Object | N/A | N/A | The name of the deployment package. |
snapshotDateCommitted |
Instant | N/A | N/A | The date and time when the snapshot was committed. |
snapshotId |
String | N/A | N/A | The identifier of the snapshot associated with the deployment package. |
snapshotMessage |
String | N/A | N/A | The message or description of the snapshot. |
Authorization deployment package approval data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
dateApproved |
Instant | N/A | N/A | The date and time when the approval was given. |
user |
String | N/A | N/A | The identifier of the user who approved the deployment package. |
Read All Deployment Packages
Read One Deployment Package
Read Deployment Package Data (ID)
Create Deployment Package Approval
Create Deployment Package
Delete Deployment Package Approval
Delete Deployment Package
System
Check the system status to make sure the Policy Editor instance is running.
System data model
Property | Type | Required | Mutable | Description |
---|---|---|---|---|
started |
String | N/A | Read-only | Specifies the date and time of system initialization. |
status |
String | N/A | Read-only | Specifies the system status. For example, RUNNING . |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
Read System Status
Governance Engine
Authorization decision response buffer configuration data model
Property | Type? | Required? | Mutable? | Description |
---|---|---|---|---|
entries |
Integer | N/A | N/A | The number of entries in the decision response buffer. |
filter |
String | N/A | N/A | The filter applied to the decision responses. |
name |
String | N/A | N/A | The name of the decision response buffer configuration. |
secretsSymmetricKey |
String | N/A | N/A | The base64-encoded symmetric key used for encryption. |
Read Buffer Configuration
Read All Previously Evaluated Buffer Decisions
SCIM
Data types and resources
The PingAuthorize Server’s SCIM APIs use the data types and resource format specified by the SCIM 2.0 schema standard, RFC 7643.
SCIM data types
SCIM attributes are typed. The following data types are used:
Data Type | Description |
---|---|
string | A JSON string. |
boolean | A JSON boolean value. May have either of the literal values true or false. |
decimal | A JSON floating-point number. |
integer | A JSON integer number. |
dateTime | A JSON string representing a timestamp. SCIM DateTime values are always encoded as an xsd:dateTime value, as specified by XML Schema, section 3.3.7. |
binary | A JSON string representing a binary value. SCIM binary values are always base64-encoded. |
reference | A JSON string representing a reference to another resource. A SCIM reference is always a URI: This may be a URN, the URL of another SCIM resource, or simply another URL. URLs may be absolute or relative. |
complex | A JSON object. A SCIM complex attribute is a composition of sub-attributes; these sub-attributes may have any data type except for “complex”. |
A SCIM attribute may also be multi-valued. All members of a multi-valued attribute must be of the same data type.
SCIM resource format
A SCIM resource is always represented as a JSON object.
The attributes available in any particular SCIM resource type are defined by the schemas associated with the resource type. A resource type has at least one core schema and may have zero or more extension schemas. An extension schema may be configured to be either required or optional for a resource to be valid.
SCIM schemas provide the means of namespacing JSON attributes. Every schema is identified by a unique schema URN prefix. When specifying attributes, the schema URN prefix is implied for attributes belonging to the core schema but must be provided for attributes belonging to extension schemas. Consider this example resource:
{
"schemas": [
"urn:pingidentity:schemas:User:1.0",
"urn:pingidentity:schemas:sample:profile:1.0"
],
"id": "5caa81af-ec05-41ff-a709-c7378007a99c",
"meta": {
"created": "2016-06-07T13:13:30.873Z",
"lastModified": "2016-06-07T13:13:30.873Z",
"resourceType": "Users",
"location": "https://example.com/scim/v2/Users/5caa81af-ec05-41ff-a709-c7378007a99c"
},
"userName": "joe.chip",
"name": {
"familyName": "Chip",
"formatted": "Joe Chip",
"givenName": "Joe"
},
"accountVerified": true,
"urn:pingidentity:schemas:sample:profile:1.0": {
"termsOfService": [
{
"id": "urn:X-pingidentity:ToS:StandardUser:1.0",
"timeStamp": "2014-11-23T16:36:59Z",
"collector": "urn:X-pingidentity:App:Mobile:1.0"
}
]
}
}
This resource has two schemas:
- A core schema:
urn:pingidentity:schemas:User:1.0
- An extension schema:
urn:pingidentity:schemas:sample:profile:1.0
The core schema attribute userName
may be specified as userName
or as urn:pingidentity:schemas:User:1.0.
The extension schema attribute termsOfService
may only be specified as urn:pingidentity:schemas:sample:profile:1.0.
Common attributes
In addition to core schema and extension schema attributes, all SCIM resources of any type may have certain common attributes. These attributes never need to be namespaced with a URN.
Common attribute | Description |
---|---|
id | An immutable unique identifier for the resource. This attribute is always present. |
externalId | An optional identifier assigned to the resource by the client that provisioned it. |
meta | A complex read-only attribute containing resource metadata. Its sub-attributes are described in the following table. |
Meta sub-attribute | Description |
---|---|
resourceType | The resource type. |
created | A timestamp indicating the resource’s creation date. |
lastModified | A timestamp indicating the time of the resource’s last update. |
location | The canonical URI of the resource. |
List responses
Some SCIM responses, such as search responses, contain multiple resources. These responses are called list responses and have a consistent format using the following fields:
Field | Type | Provided? | Description |
---|---|---|---|
schemas | array | always | The SCIM schema of the list response. Always contains the value urn:ietf:params:scim:api:messages:2.0:ListResponse. |
totalResults | number | always | The number of matching resources. |
startIndex | number | The 1-based index of the first result in the current set of list results. Always present if pagination is used. | |
itemsPerPage | number | The number of resources returned per page. Always present if pagination is used. | |
Resources | array | always | An array consisting of one or more resource objects. For example, this may contain all of the User resources matching a search query. |
Authorization
By default, the access token provided by the client in the request (see Authentication) is used to control access to requested resources. The PingAuthorize Server’s access control policies are customizable, but in general, the scopes granted by the access token determine which resources and attributes are returned.
If access controls determine that the client cannot access the requested resource, then a response with a 403
status code is returned.
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:Error"
],
"scimType": "insufficient_scope",
"status": 403,
"detail": "Requested operation not allowed by the granted OAuth2 scopes."
}
A client may be allowed to access a resource but not all of its attributes. Clients should be prepared to receive incomplete resources, including resources stripped of attributes that are required by the schema.
For information about how to configure an application appropriately for SCIM API access, see configuring scopes in the PingAuthorize Server client developer guide.
Authentication
Clients authenticate to the SCIM APIs by using bearer token authentication, as defined by RFC 6750. Every request must include an Authorization request header, where the header value uses the form Bearer {access token}
.
A bearer token must be obtained from an external authorization server, such as PingFederate.
READ User Name
Requests and responses
For each resource type, the PingAuthorize Server exposes a SCIM endpoint. For example:
/scim/v2/Users
/scim/v2/Products
/scim/v2/Suppliers
Making requests
Each resource is addressable by an identifier; the combination of a resource type name (Users
) and the identifier (5caa81af-ec05-41ff-a709-c7378007a99c
) uniquely identifies the resource to the PingAuthorize Server. For example:
/scim/v2/Users/5caa81af-ec05-41ff-a709-c7378007a99c
Media types
All requests and responses use the UTF-8 character encoding and are formatted as JSON. Clients must accept either the application/scim+json
or application/json
media types, and the request should always provide an Accept
request header with one or both values.
When providing a request body (as with POST
, PUT
, and PATCH
requests), clients should include a Content-Type
request header with the value application/scim+json
or application/json
.
Updating resources
SCIM resources are modified using the PUT
and PATCH
methods, described by sections 3.5.1 and 3.5.2 of RFC 7644, respectively. See the user profile API reference for examples.
HTTP method | Description |
---|---|
PUT |
Replace an existing resource with a resource representation specified in the body of the request. Typically used after a client has obtained a resource using GET . |
PATCH |
Perform a partial modification of a resource against specific attributes specified by the client. A PATCH request uses the following operation types: add, remove, replace. |
Because access controls enforced by the PingAuthorize Server’s policies and scopes can limit a client’s view of a resource, the server must assume that the client may not have access to all attributes of a resource. This is important for PUT
requests, because the server needs to distinguish between a case in which the client explicitly wishes to remove an attribute and a case in which the client does not know about an attribute. The general rule is that the server ignores an attribute that is omitted from a PUT
request, rather than deleting it. If a client explicitly wishes to delete an attribute, then it should set its value to null
.
When a client requests a modification, the PingAuthorize Server computes the difference between the current state of the resource and the state specified by the modification request, applying a minimal set of changes when passing the modification request to the user store. In effect, this means that a PUT
request is ultimately treated as if it were a PATCH
request. This prevents unnecessary modifications from being sent to the user store and, more importantly, also prevents the client from inadvertently removing attributes that it did not specify because it did not have access to them.
The PingAuthorize Server performs this diffing logic at the attribute and sub-attribute level, comparing each attribute in a modification request against the corresponding attribute in the current resource. For multivalued, complex attributes, the server iterates through the values in the modification request and tries to find the corresponding value in the current resource to determine a match. If it is found, it then diffs at the sub-attribute level.
This behavior is summarized by the following table.
Operation | Result |
---|---|
PUT |
Request omitting a simple single-valued attribute (such as userName). No change. |
PUT or PATCH request setting a simple single-valued attribute to null. |
The attribute is deleted. |
PUT or PATCH request replacing the value of a multi-valued attribute, omitting an existing member. |
The omitted attribute is deleted. |
PUT or PATCH request replacing the value of a complex attribute, omitting an existing sub-attribute. |
No change to the omitted sub-attribute. |
For example, if the current value of a resource’s phoneNumbers
attribute is:
"phoneNumbers": [
{
"value": "054-757-2291",
"type": "work",
"primary":"true"
}
]
And a modification request includes:
"phoneNumbers": [
{
"value": "054-757-2291",
"primary": "false"
}
]
Then the final result is:
"phoneNumbers": [
{
"value": "054-757-2291",
"type": "work",
"primary": "false"
}
]
When finding a matching value in a complex attribute, matches of the value
, $ref
, type
, and display
sub-attribute values are given more weight when compared to values of other sub-attributes. This is done because the above sub-attribute values are typically unique for any given complex attribute.
Specifying attributes to return
By default, all attributes that the client is authorized to read will be returned when a resource is requested. Your application can provide special query parameters to override this behavior.
Parameter | Description |
---|---|
attributes | Indicates the set of attributes to include in the response. Takes a comma-separated list of attribute names. Extension schema attribute names must be prefixed with the extension schema URN. |
excludedAttributes | Indicates a set of attributes to exclude from the response. Takes a comma-separated list of attribute names. Extension schema attribute names must be prefixed with the extension schema URN. |
The /Me endpoint
A special endpoint is available at /scim/v2/Me
that acts as an alias for the currently authenticated user, the user associated with the bearer token.
For example, if the currently authenticated user is available via the path /scim/v2/Users/5caa81af-ec05-41ff-a709-c7378007a99c
, then the same user resource will also be available through /scim/v2/Me
. The two paths are interchangeable, and the /Me
endpoint can be substituted in any request path where the combination of resource type and identifier might otherwise be used.
This includes sub-resources. For example, for an authenticated user with the ID 5caa81af-ec05-41ff-a709-c7378007a99c
, the paths /scim/v2/Users/5caa81af-ec05-41ff-a709-c7378007a99c/password
and /scim/v2/Me/password
both identify the user’s password sub-resource.
Filtering searches
Some but not all endpoints support an optional filter parameter for filtering responses containing multiple resources. As a rule of thumb, if a SCIM path returns a single resource, it does not support filtering. If it returns multiple resources, then it generally supports filtering. For example, /scim/v2/Users
supports filtering, but /scim/v2/Users/{userId}
does not.
SCIM filtering is described in detail by RFC 7644, section 3.4.2.2, and that should be considered an authoritative reference. The following discussion should not be considered exhaustive.
The value of the filter parameter is a search filter, which typically takes the form <attribute> <operator> <value>
. For example:
filter=userName eq "pkd"
Search responses are always list responses, except in the case of an error.
The following attribute operators are supported:
Operator | Description |
---|---|
eq | equal |
ne | not equal |
co | contains |
sw | starts with |
ew | ends with |
pr | present |
gt | greater than |
ge | greater than or equal to |
lt | less than |
le | less than or equal to |
The following logical operators are supported:
Operator |
---|
and |
or |
not |
The following grouping operators are supported:
Operator | Description |
---|---|
() | Groups expressions to alter precedence. |
[] | Contains a filter expression to be applied to a complex attribute. See example below. |
The following is a sample of filtering by a core attribute:
filter=userName eq "pkd"
The following is a sample of filtering by an extended attribute using the ‘starts with’ operator:
filter=urn:pingidentity:schemas:sample:profile:1.0:birthDate sw "1939"
The following is a sample of a complex filter:
filter=emails[value eq "glen@runciter.com"]
The following is a sample of a complex filter with two expressions:
filter=emails[value eq "glen@runciter.com" and type eq "work"]
For more information about searching with SCIM, including caveats, see the client developer guide.
Pagination
The client can provide pagination parameters to page through search result sets.
Parameter | Description |
---|---|
startIndex | The 1-based index of the first query result. |
count | A non-negative integer specifying the maximum number of matching resources to return per page. If 0 is specified, then no resources will be returned, but the totalResults field will still indicate the number of matching resources. |
Search Users with GET
Search Users with POST
Service metadata
The PingAuthorize Server provides three service metadata endpoints, ServiceProviderConfig
, Schemas
, and ResourceTypes
, which clients may use to discover information about the service’s capabilities, configuration, schemas, and resource types.
Clients do not necessarily need to rely on the service metadata endpoints. Clients may be developed based on an out-of-band understanding of the service configuration and data.
READ SCIM service provider configuration
READ SCIM schemas
READ One SCIM schema
READ SCIM resource types
READ One SCIM resource type
User profile
The user profile endpoint exposes user attributes from the PingAuthorize Server’s user store as SCIM resources.
Note that the schemas used, the resource type, and the endpoint name may all be configured differently than shown here.
This guide assumes that the PingAuthorize Server is configured to serve user resources at the /scim/v2/Users
endpoint. The information in this reference is applicable to any resource type, however.
CREATE A User
READ Search Users (POST)
READ Search Users (GET)
READ One User
UPDATE All User attributes (PUT)
UPDATE Replace one or more User attributes (PATCH)
UPDATE Add a member to User attributes (PATCH)
UPDATE Remove a value from User attributes (PATCH)
DELETE a User
Me endpoint
A special endpoint is available at /scim/v2/Me
that acts as an alias for the currently authenticated user, the user associated with the bearer token.
For example, if the currently authenticated user is available via the path /scim/v2/Users/5caa81af-ec05-41ff-a709-c7378007a99c
, then the same user resource will also be available through /scim/v2/Me
. The two paths are interchangeable, and the /Me
endpoint can be substituted in any request path where the combination of resource type and identifier might otherwise be used.
This includes sub-resources. For example, for an authenticated user with the ID 5caa81af-ec05-41ff-a709-c7378007a99c
, the paths /scim/v2/Users/5caa81af-ec05-41ff-a709-c7378007a99c/password
and /scim/v2/Me/password
both identify the user’s password sub-resource.
READ One User (Me Endpoint)
UPDATE All User attributes (Me Endpoint)
UPDATE Replace one or more User attributes (PATCH) (Me Endpoint)
UPDATE Add a member to User attributes (PATCH) (Me Endpoint)
UPDATE Remove a value from User attributes (PATCH) (Me Endpoint)
DELETE a User (Me Endpoint)
Errors
Like all other responses, errors are returned as SCIM responses with a media type of application/scim+json
.
Field | Type | Provided? | Description |
---|---|---|---|
schemas | array | always | SCIM schemas used in the error message. The schemas array will always include the value urn:ietf:params:scim:api:messages:2.0:Error to identify the message as an error. Other schema values may be present if Ping Identity-proprietary error fields are used. |
status | number | always | The HTTP status code of the error. This will always be in the 400 or 500 range. |
scimType | string | An error code defined by RFC 7644, section 3.12. | |
detail | string | A human-readable error description. In some cases, this field may contain error messages received from the underlying data store. |
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:Error"
],
"scimType": "invalid_token",
"status": 401,
"detail": "Access token is expired or otherwise invalid."
}
Password update errors
If an error response is returned because of a password update failure, then an additional field will be provided under the urn:unboundid:scim:api:messages:2.0:PasswordUpdateError
schema URN.
Field | Type | Provided? | Description |
---|---|---|---|
passwordRequirements | array | An array of password quality requirements, which are rules that must be satisfied in order to successfully change a password. See here for a description of password quality requirements. |
{
"detail": "The provided new password cannot be the same as the current password or any password in the user's password history",
"schemas": [
"urn:pingidentity:scim:api:messages:2.0:PasswordUpdateError"
],
"scimType": "invalidValue",
"status": 400,
"urn:pingidentity:scim:api:messages:2.0:PasswordUpdateError": {
"passwordRequirements": [
{
"additionalInfo": "The provided new password cannot be the same as the current password or any password in the user's password history.",
"description": "The new password must not be the same as the current password.",
"requirementSatisfied": false,
"type": "notCurrentPassword"
}
]
}
}
Changelog
The following changes have been made to the PingAuthorize SCIM API.
Release Date | Description |
---|---|
6/9/2022 | The PingAuthorize SCIM API Reference migrated from Postman. |