By default, the access token provided by the client in the request (see Authentication) is used to control access to requested resources. The Ping Identity Data Governance Server’s access control policies are customizable, but in general, the scopes granted by the access token determine which resources and attributes are returned.

If access controls determine that the client cannot access the requested resource, then a response with a 403 status code will be returned.

HTTP/1.1 403 Forbidden
Content-Length: 177
Content-Type: application/scim+json
Date: Tue, 07 Jun 2016 22:40:48 GMT

    "schemas": [
    "scimType": "insufficient_scope",
    "status": 403,
    "detail": "Requested operation not allowed by the granted OAuth2 scopes."

A client may be allowed to access a resource but not all of its attributes. Clients should be prepared to receive incomplete resources, including resources stripped of attributes that are required by the schema.

For information about how to configure an application appropriately for SCIM API access, see configuring scopes in the Data Governance Server client developer guide.