By default, the access token provided by the client in the request (see Authentication) is used to control access to requested resources. The PingAuthorize Server’s access control policies are customizable, but in general, the scopes granted by the access token determine which resources and attributes are returned.

If access controls determine that the client cannot access the requested resource, then a response with a 403 status code is returned.

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:Error"
    ],
    "scimType": "insufficient_scope",
    "status": 403,
    "detail": "Requested operation not allowed by the granted OAuth2 scopes."
}

A client may be allowed to access a resource but not all of its attributes. Clients should be prepared to receive incomplete resources, including resources stripped of attributes that are required by the schema.

For information about how to configure an application appropriately for SCIM API access, see configuring scopes in the PingAuthorize Server client developer guide.