The PingOne Management API provides the interface to configure and manage your PingOne organization. The Management API includes the following entities.


PingOne uses an organization-based model to define tenant accounts and their related entities. The organization is the top-level identifier. It defines your entire enterprise within the PingOne platform.

For more information, see Organizations.


An organization contains one or more environments. Environments define separate working domains within an organization. Environments are used to model regions within a large global enterprise such as NA (North America) or EU (European Union). They are also used as the defining entity to segregate enterprise operations by functionality, staging environments, or configurations.

In the management API sample requests shown in this document, the {{apiPath}} variable in the sample requests represents the regional domain for the PingOne server. This variable stands for for environments in the North America region, for environments in the Canada region, for environments in the European Union region, and for environments in the Asia-Pacific region.

For more information, see Environments.

Environments contain many of the core resources on which all identity services are built. Environments encompass:

For more information, see Sign-on policies and Sign-on policy actions.

Roles, entitlements, and permissions

Roles, permissions, and entitlements are defined at the root of the platform. Roles are assigned to users, and these user roles include a scope property to grant the user permissions corresponding to the role. For example, a role of Identity Admin contains permissions allowing the subject to read and edit user data. When this role is assigned to a user, it can be assigned with the scope property that identifies a population or an environment to which the permissions apply.

Self-service application permissions are described using scopes rather than roles. Scopes are more narrowly defined roles in that a scope cannot cross an environment boundary, and it is restricted to a specific task. For example, the p1:read:user scope grants permission to read the user resource’s data only; it does not grant permission to read another user’s data or perform create, update, or delete operations on user resources.

For more information, see Roles and Resource scopes.


The license resource identifies the organization that owns the license, the licensing package type, and the expiration date for the license.

For more information, see Licensing.

Identity accounts

Active identity counts use authentication and password-evaluation user events to determine whether an identity is active within a specified sampling period. Total identity counts provide the number of unique identities associated with a specified environment per day.

For more information, see Active identity counts and Total identities.