A POST /environments/{environmentId}/resources/{resourceId}/scopes operation that includes the schemaAttributes property creates a new PingOne API access control scope. The request URL specifies the new scope’s name by adding a suffix to one of the platform scopes that support access control. At this time, the following platform self scopes support access control:

p1:read:user
p1:update:user

The schemaAttributes array lists the user schema attributes that the end user has permission to read or update. If a user attribute is not listed, end users cannot see or update its value.

The request body must specify a value for the scope’s name property. The name value includes the name of the platform scope and a descriptive suffix separated by a colon. For example, an access control scope that allows end users to update their email address only could be named p1:update:user:email-only.

Important: The p1:update:user:{suffix} self-service scope is not granted if the user authenticates with an authoritative identityProvider - the user has a user.identityProvider.id value set and their user.identityProvider.type value is not PING_ONE.