The ability to perform an action using PingOne APIs is determined by roles. For example, when you initiate a request to a PingOne endpoint, you must have the permissions required by the endpoint to execute the request. Permissions in PingOne are associated with the following roles:

Automatic role assignments

Role assignments determine access to PingOne APIs. When an application or user creates a new PingOne resource over which roles can be assigned, they are assigned all possible roles that can be assigned for the environment or population. For example, if an actor creates a new environment, the actor receives the Environment Admin, Identity Data Admin, and the Client Application Developer roles over that new environment. If the actor already has an existing organization-level Environment Admin role, the Environment Admin role would not be assigned again to the actor. Likewise, if the actor creates a new population, the actor receives the Identity Data Admin role automatically (unless the actor already has that assigned role).

Users and applications cannot create actors that have more privileges than the user or application itself. For example, to create a user or an application that has Environment Admin privileges, the actor assigning roles must also have Environment Admin privileges. The actor (user or application) assigning roles must have the permissions that they are trying to assign. The requesting user or application must have the same (or broader) role assignments as the target actor’s role assignments.

When creating PingOne resources, the following roles are assigned to the actor automatically when these PingOne entities are created:

Roles data model

Property Description
actor.id A string that specifies the ID of the actor.
actor.environmentId A string that specifies the ID of the environment in which the actor exists.
actor.type A string that specifies the type of the actor. Options are users and clients.
description A string that specifies the description of the resource.
environment.id A string that specifies the environment resource’s unique identifier associated with the resource.
id A string that specifies the resource’s unique identifier.
name A string that specifies the resource name.
role.applicableTo A string that specifies the scope to which the role applies.
role.description A string that specifies the description of the role.
role.id A string that specifies the ID of the role.
role.permissions A string that specifies the set of permissions assigned to the role.
role.permissions.classifier A string that specifies the resource for which the permission is applicable.
role.permissions.description A string that specifies the description of what the permission enables for the role.
role.scope.id A string that specifies the ID of the role assignment scope.
role.scope.type A string that specifies the type of resource defining the scope of the role assignment. Options are PLATFORM, ORGANIZATION, ENVIRONMENT, POPULATION, and ACTOR.
type A string that specifies the type of resource. Options are PLATFORM and CUSTOM.

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.