Environments define separate working domains within an organization. Environments are used to model regions within a large global enterprise such as NA (North America) or EU (European Union). They are also used as the defining entity to segregate enterprise operations by functionality, staging environments, or configurations.

In the management API sample requests shown in this document, the {{apiPath}} variable in the sample requests represents the regional domain for the PingOne server. This variable stands for https://api.pingone.com/v1 for environments in the North America region, https://api.pingone.ca/v1 for environments in the Canada region, https://api.pingone.eu/v1 for environments in the European Union region, and https://api.pingone.asia/v1 for environments in the Asia-Pacific region.

For more information, see Environments.

Environments contain many of the core resources on which all identity services are built. Environments encompass:

For more information, see Sign-on policies and Sign-on policy actions.

Roles, entitlements, and permissions

Roles, permissions, and entitlements are defined at the root of the platform. Roles are assigned to users, and these user roles include a scope property to grant the user permissions corresponding to the role. For example, a role of Identity Admin contains permissions allowing the subject to read and edit user data. When this role is assigned to a user, it can be assigned with the scope property that identifies a population or an environment to which the permissions apply.

Self-service application permissions are described using scopes rather than roles. Scopes are more narrowly defined roles in that a scope cannot cross an environment boundary, and it is restricted to a specific task. For example, the p1:read:user scope grants permission to read the user resource’s data only; it does not grant permission to read another user’s data or perform create, update, or delete operations on user resources.

For more information, see Roles and Resource scopes.


The license resource identifies the organization that owns the license, the licensing package type, and the expiration date for the license.

For more information, see Licensing.