Application role assignments


Application role assignments

The role assignments endpoint implements functions to create, read, and delete the role assignments associated with applications resources. For more information about roles and the permissions associated with each role, see Roles.

Role assignments are defined by the role itself, and at a more granular level by the scope attribute associated with the role assignment. The role assignment scope identifies the type of platform resource that defines the scope, and the id of the specific resource to which the scope applies. The following sample shows the scope attribute, which includes the resource type and id attributes. In this case, the scope is restricted to the environment resource identified by its id.

{
  "scope": {
   "id": "d928aa51-c194-4333-9cf5-0fd0c9b7d62f",
   "type": "ENVIRONMENT"
   }
}

Role assignment scope types include:

  • Organization

    This scope type designates an organization resource as the assignment scope of the role.

  • Environment

    This scope designates an environment resource as the assignment scope of the role.

  • Population

    This scope designates a population resource as the assignment scope of the role.

Application role assignments API operations

The application role assignments endpoints support the following operations:

For hands-on experience with the applications API endpoints, click the Run in Postman button below to download a Postman collection that you can import and open in your local Postman application.

Applications role assignments data model

Property Description
application.id A string that specifies the application resource associated with the role assignment resource.
environment.id A string that specifies the environment associated with the application.
id A string that specifies the application role assignment ID.
readOnly A boolean that specifies whether this role assignment can be deleted by the current actor.
role.id A string that specifies the role ID.
scope.id A string that specifies the role assignment scope ID.
scope.type A string that specifies the type of resource defining the scope of the Role assignment. Options are ORGANIZATION, ENVIRONMENT, and POPULATION.

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
404 The requested resource was not found.

Endpoint examples

Create application role assignments

You can manage the roles assigned to specific applications. When you assign a role to an application, you provide the attribute values required to identify the role and designate the role assignment scope for this application.

The following sample shows the POST /environments/{environmentId}/applications/{applicationId}/roleAssignments operation to create the role assignment for the application in the specified environment resource.

curl -X POST "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/roleAssignments" \
-H "Content-type: application/json" \
-H "Authorization: Bearer jwtToken" \
-d "{
  "role": {
    "id": "1813bc13-8d13-4e88-a825-d40bfe82777b",
  },
  "scope": {
    "id": "d928aa51-c194-4333-9cf5-0fd0c9b7d62f",
    "type": "ORGANIZATION"
  }
}"

The request URL identifies the environment ID and application ID. The request body specifies the role ID and the scope attribute values. The scope attribute provides the resource ID and resource type to designate the role assignment scope associated with this application. In this sample, the scope type is ORGANIZATION and the specific organization to which the role assignment scope applies is specified in the id value.

Get application role assignments

Applications in PingOne can be assigned one or more roles. You can view the roles assigned to a specific application, and you can view the role assignment scopes that define the limitations of each role.

The GET /environments/{environmentId}/applications/{applicationId}/roleAssignments operation returns the list of roles assigned to the application specified by the application ID.

curl -X GET "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/roleAssignments" \
-H "Authorization: Bearer jwtToken"

The request URL identifies the environment ID and the application’s ID. The response data looks like this.

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/88c23def-39c9-4646-8d41-aa91a14a1006/applications/cf12be70-c56d-45b6-b45a-956cfbf7fc6c/roleAssignments"
        },
        "application": {
            "href": "https://api.pingone.com/v1/environments/88c23def-39c9-4646-8d41-aa91a14a1006/applications/cf12be70-c56d-45b6-b45a-956cfbf7fc6c"
        },
        "environment": {
            "href": "https://api.pingone.com/v1/environments/88c23def-39c9-4646-8d41-aa91a14a1006"
        }
    },
    "_embedded": {
        "roleAssignments": [
            {
                "_links": {
                    "self": {
                        "href": "https://api.pingone.com/v1/environments/88c23def-39c9-4646-8d41-aa91a14a1006/applications/cf12be70-c56d-45b6-b45a-956cfbf7fc6c/roleAssignments/165aa2e9-ab48-48ed-a4ba-eb80a6156afe"
                    },
                    "application": {
                        "href": "https://api.pingone.com/v1/environments/88c23def-39c9-4646-8d41-aa91a14a1006/applications/cf12be70-c56d-45b6-b45a-956cfbf7fc6c"
                    },
                    "environment": {
                        "href": "https://api.pingone.com/v1/environments/88c23def-39c9-4646-8d41-aa91a14a1006"
                    }
                },
                "id": "165aa2e9-ab48-48ed-a4ba-eb80a6156afe",
                "scope": {
                    "id": "88c23def-39c9-4646-8d41-aa91a14a1006",
                    "type": "ENVIRONMENT"
                },
                "role": {
                    "id": "0bd9c966-7664-4ac1-b059-0ff9293908e2"
                },
                "environment": {
                    "id": "88c23def-39c9-4646-8d41-aa91a14a1006"
                },
                "readOnly": false,
                "application": {
                    "id": "cf12be70-c56d-45b6-b45a-956cfbf7fc6c"
                }
            },
            {
                "_links": {
                    "self": {
                        "href": "https://api.pingone.com/v1/environments/88c23def-39c9-4646-8d41-aa91a14a1006/applications/cf12be70-c56d-45b6-b45a-956cfbf7fc6c/roleAssignments/2371b6db-2ed2-40cf-a68b-3d0a414e8fce"
                    },
                    "application": {
                        "href": "https://api.pingone.com/v1/environments/88c23def-39c9-4646-8d41-aa91a14a1006/applications/cf12be70-c56d-45b6-b45a-956cfbf7fc6c"
                    },
                    "environment": {
                        "href": "https://api.pingone.com/v1/environments/88c23def-39c9-4646-8d41-aa91a14a1006"
                    }
                },
                "id": "2371b6db-2ed2-40cf-a68b-3d0a414e8fce",
                "scope": {
                    "id": "88c23def-39c9-4646-8d41-aa91a14a1006",
                    "type": "ENVIRONMENT"
                },
                "role": {
                    "id": "29ddce68-cd7f-4b2a-b6fc-f7a19553b496"
                },
                "environment": {
                    "id": "88c23def-39c9-4646-8d41-aa91a14a1006"
                },
                "readOnly": false,
                "application": {
                    "id": "cf12be70-c56d-45b6-b45a-956cfbf7fc6c"
                }
            },
            {
                "_links": {
                    "self": {
                        "href": "https://api.pingone.com/v1/environments/88c23def-39c9-4646-8d41-aa91a14a1006/applications/cf12be70-c56d-45b6-b45a-956cfbf7fc6c/roleAssignments/56a48943-4a4c-47de-89b2-9908c2ff9c20"
                    },
                    "application": {
                        "href": "https://api.pingone.com/v1/environments/88c23def-39c9-4646-8d41-aa91a14a1006/applications/cf12be70-c56d-45b6-b45a-956cfbf7fc6c"
                    },
                    "environment": {
                        "href": "https://api.pingone.com/v1/environments/88c23def-39c9-4646-8d41-aa91a14a1006"
                    }
                },
                "id": "56a48943-4a4c-47de-89b2-9908c2ff9c20",
                "scope": {
                    "id": "88c23def-39c9-4646-8d41-aa91a14a1006",
                    "type": "ENVIRONMENT"
                },
                "role": {
                    "id": "b5057d0d-7281-47f6-9398-8a7e4cb71397"
                },
                "environment": {
                    "id": "88c23def-39c9-4646-8d41-aa91a14a1006"
                },
                "readOnly": false,
                "application": {
                    "id": "cf12be70-c56d-45b6-b45a-956cfbf7fc6c"
                }
            }
        ]
    },
    "count": 3,
    "size": 3
}

Get one application role assignment

The GET /environments/{environmentId}/applications/{applicationId}/roleAssignments/{roleAssignmentId} operation returns the specific role assignment assigned to the application identified by the application’s ID.

curl -X GET "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/roleAssignments/{roleAssignmentId}" \
-H "Authorization: Bearer jwtToken"

Delete application role assignments

The following sample shows the DELETE /environments/{environmentId}/applications/{applicationId}/roleAssignments/{roleAssignmentId} operation to delete the role assignment specified by its ID in the request URL. The role assignment is deleted only for the application identified in the request URL.

curl -X DELETE "https://api.pingone.com/v1/environments/{environmentId}/applications/{applicationId}/roleAssignments/{roleAssignmentId}" \
-H "Authorization: Bearer jwtToken" \

When successful, the DELETE request returns a code 204 No Content message.