The ability to perform an action using PingOne APIs is determined by roles. For example, when you initiate a request to a PingOne endpoint, you must have the permissions required by the endpoint to execute the request.

Admin permissions

Admin permissions in PingOne are associated with the following roles:

Organization Admin

The Organization Admin role provides user permissions to perform the following PingOne API operations:

Read organization resources.
Create, read, update, delete, and promote environment resources.
Read license resources and update a license’s mutable properties.

Environment Admin

The Environment Admin role provides user permissions to perform the following PingOne API operations:

Assign Configuration Read Only administrators
- If an Environment admin has both the full and read only roles assigned to them, they’ll see both roles assigned to themselves, and they’ll be able to assign both roles to other actors.
- If an Environment admin has only the full role assigned to them, they will not see the Configuration Read Only role assigned to themselves. However, they will be able to assign the Configuration Read Only role to other actors.
Read and promote environments
Read license resources
Read, create, update, and delete population resources
Read organization resources
Read and update password policy resources
Read and create notifications resources and email resources
Update and delete branding resources
Read audit reporting activities resources
Read, create, update, and delete sign-on policy resources
Read and update schema resources
Read, update, and delete mapping resources
Read and update application role assignments resources
Read, create, update, and delete application (client) resources
Read and update an application’s client_secret resources
Read, create, update, and delete application grant resources
Read, create, update, and delete application attribute resources
Read, create, update, and delete application role assignments resources
Read, create, update, and delete application sign-on policy assignments resources
Read, create, update, and delete application push credentials resources
Read, create, update, and delete certificate and key resources
Read, create, update, and delete identity provider resources
Read, create, update, and delete resource entity resources
Read, create, update, and delete resource scope resources
Read, create, update, and delete risk policy set resources

Identity Data Admin

The Identity Data Admin role provides user permissions to perform the following PingOne API operations:

Assign Identity Data Read Only administrators
- If an Identity Data admin has both the full and read only roles assigned to them, they’ll see both roles assigned to themselves, and they’ll be able to assign both roles to other actors.
- If an Identity Data admin has only the full role assigned to them, they will not see the Identity Data Read Only role assigned to themselves. However, they will be able to assign the Identity Data Read Only role to other actors.
Read, create, update, and delete user resources
Read, create, update, and delete user role assignments resources
Read, create, update, and delete device management resources
Read and delete linked accounts resources
Read, create, update, and delete pairing key resources
Read user role assignments
Assign identity resources
Read license resources
Read certificate resources
Update user password resources
Read user password state resources
Read password policy resources
Read audit reporting activities resources
Read schema resources
Read, create, update, and delete risk evaluation resources

Identity Data Read Only Admin

Identity Data Read Only admins have permissions to perform the following PingOne API operations:

Read user resources
Read user role assignments resources
Read device management resources
Read linked accounts resources
Read pairing key resources
Read user role assignments
Read license resources
Read certificate resources
Read user password state resources
Read password policy resources
Read audit reporting activities resources
Read schema resources
Read risk evaluation resources

Client Application Developer

The Client Application Developer role provides user permissions to perform the following PingOne API operations:

Read, create, update, and delete application (client) resources
Read and update an application’s client_secret resources
Read, create, update, and delete application grant resources
Read, create, update, and delete application attribute resources
Read, create, update, and delete application role assignments resources
Read, create, update, and delete application sign-on policy assignments resources
Read, create, update, and delete application push credentials resources
Read, create, update, and delete resource entity resources
Read, create, update, and delete scope resources
Read, create, update, and delete identity provider resources
Read schema resources
Read organization resources

Automatic role assignments

Role assignments determine access to PingOne APIs. When an application or user creates a new PingOne resource over which roles can be assigned, they are assigned all possible roles that can be assigned for the environment or population. For example, if an actor creates a new environment, the actor receives the Environment Admin, Identity Data Admin, and the Client Application Developer roles over that new environment. If the actor already has an existing organization-level Environment Admin role, the Environment Admin role would not be assigned again to the actor. Likewise, if the actor creates a new population, the actor receives the Identity Data Admin role automatically (unless the actor already has that assigned role).

Users and applications cannot create actors that have more privileges than the user or application itself. For example, to create a user or an application that has Environment Admin privileges, the actor assigning roles must also have Environment Admin privileges. The actor (user or application) assigning roles must have the permissions that they are trying to assign. The requesting user or application must have the same (or broader) role assignments as the target actor’s role assignments.

When creating PingOne resources, the following roles are assigned to the actor automatically when these PingOne entities are created:

Environments

Environment Admin: Assigned for the created environment at the environment level, if the actor does not already have the Environment Admin role at the parent organization level.

Identity Data Admin: Assigned for the created environment at the environment level.

Client Application Developer: Assigned for the created environment at the environment level.
Populations

Identity Data Admin: Assigned for the created population at the population level, if the actor does not already have the Identity Data Admin role at the parent environment level.

Roles data model

Property	Description
`actor.id`	A string that specifies the ID of the actor.
`actor.environmentId`	A string that specifies the ID of the environment in which the actor exists.
`actor.type`	A string that specifies the type of the actor. Options are `users` and `clients`.
`description`	A string that specifies the description of the resource.
`environment.id`	A string that specifies the environment resource’s unique identifier associated with the resource.
`id`	A string that specifies the resource’s unique identifier.
`name`	A string that specifies the resource name.
`role.applicableTo`	A string that specifies the scope to which the role applies.
`role.description`	A string that specifies the description of the role.
`role.id`	A string that specifies the ID of the role.
`role.permissions`	A string that specifies the set of permissions assigned to the role.
`role.permissions.classifier`	A string that specifies the resource for which the permission is applicable.
`role.permissions.description`	A string that specifies the description of what the permission enables for the role.
`role.scope.id`	A string that specifies the ID of the role assignment scope.
`role.scope.type`	A string that specifies the type of resource defining the scope of the role assignment. Options are `PLATFORM`, `ORGANIZATION`, `ENVIRONMENT`, `POPULATION`, and `ACTOR`.
`type`	A string that specifies the type of resource. Options are `PLATFORM` and `CUSTOM`.

Response codes

Code	Message
200	Successful operation.
201	Successfully created.
204	Successfully removed. No content.
400	The request could not be completed.
401	You do not have access to this resource.
403	You do not have permissions or are not licensed to make this request.
404	The requested resource was not found.