The ability to perform an action using PingOne APIs is determined by roles. For example, when you initiate a request to a PingOne endpoint, you must have the permissions required by the endpoint to execute the request.

Admin permissions

Admin permissions in PingOne are associated with the following roles:

Organization Admin

The Organization Admin role provides user permissions to perform the following PingOne API operations:

Create and read bootstrap.
Create keys.
Read dashboards
Read organizations.
Create, read, update, promote, and delete environments.
Read and update environment license and update license’s mutable properties.
Create and read data explorations and read data exploration templates.
Request decisions from and read decisions of PingOne Authorize decision endpoint.
Create and read deployment resources.
Create, read, update, and delete orchestration flows for Ping Enterprise deployments.
Create, read, update, and delete orchestration flows for Ping Intelligence deployments.
Read, update, and delete integrations in integration catalog.
Read PingOne Advanced Services customer configuration.
Delete PingOne Advanced Services environment.
Create, read, update, and delete PingOne Advanced Services orchestrations.
Create, read, update, and delete PingOne Authorize decision endpoints.
Create, read, update, test, and delete PingOne Authorize entities.
Read PingOne Authorize deployment packages.
Read PingOne Authorize policy versions.
Create, read, update, and delete PingOne Authorize policy version tags.

Environment Admin

The Environment Admin role provides user permissions to perform the following PingOne API operations:

Assign Configuration Read Only administrators
- If an Environment admin has both the full and read only roles assigned to them, they’ll see both roles assigned to themselves, and they’ll be able to assign both roles to other actors.
- If an Environment admin has only the full role assigned to them, they will not see the Configuration Read Only role assigned to themselves. However, they will be able to assign the Configuration Read Only role to other actors.

Read dashboards.
Read organizations.
Read groups.
Create, read, update, and delete agreements.
Create, read, update, and delete alert channels.
Create, read, update, and delete an application’s OIDC settings.
Read, update, and delete an application’s push credentials information.
Read application’s client secret.
Create, read, and update attributes in resources and delete attributes from resources.
Read audit activity.
Read and update branding settings.
Create, update, and delete branding.
Create, read, update, and delete certificates.
Create and read configuration for a specific environment.
Read connection sensitive configuration.
Create, read, update, and delete custom domains.
Create and delete custom FIDO device metadata.
Create, read, update, and delete custom roles.
Read data exploration templates.
Create and read data exploration.
Request decisions from and read decisions of PingOne Authorize decision endpoint.
Create and read deployment resources.
Create, read, update, and delete device authentication policies.
Create, read, update, and delete email domains.
Create, read, update, and delete end user UI configurations.
Read, update, and promote environments.
Check external sass connections.
Invoke external service requests.
Read and update external service secrets.
Create, read, update, and delete external services.
Read FIDO device metadata.
Create, read, update, and delete FIDO policies.
Create, read, update, and delete flow definitions.
Execute flows.
Create, read, update, and delete forms.
Read fraud sessions.
Read fraud SSO logins.
Read fraud evaluations.
Create and read fraud feedback.
Read, update, and delete gateway role assignments.
Create, read, update, and delete gateways.
Create, read, update, and delete identity providers.
Create, read, and delete images.
Read integrations in integration catalog.
Create, read, update, and delete keys.
Create, read, update, and delete languages.
Read licenses.
Create, read, update, and delete managed API servers.
Read, update, and delete mappings.
Read, update, and reset MFA settings.
Generate client secrets.
Issue Key Distribution Center (KDC) certificates.
Create push credentials for applications.
Create, read, update, and delete single resource access grants for an application.
Create notifications.
Read notification templates.
Create, read, update, and delete notification template’s contents.
Create, read, update, and delete notifications policies.
Read, update, and reset notifications settings.
Read and update orchestration flow for Ping Enterprise deployments.
Read and update orchestration flow for Ping Intelligence deployments.
Create, read, update, and delete password policies.
Create and delete PingID products.
Delete PingOne Advanced Services environments.
Create, read, and update PingOne Advanced Services orchestrations.
Create, read, and update PingOne Authorize decision endpoints.
Read PingOne Authorize deployment packages.
Create, read, update, test, and delete PingOne Authorize entities.
Read PingOne Authorize policy versions.
Create, read, update, and delete PingOne Authorize policy version tags.
Read, update, and delete plans.
Create, read, update, and delete populations.
Read, update, and delete reCAPTCHA V2 configurations.
Create, read, update, and delete resources from an environment.
Create, read, update, and delete risk policies.
Create, read, update, and delete risk predictors.
Read and update roles assigned to applications.
Read, update, and delete rules.
Read, update, and delete schemas.
Create, read, and update scopes in and delete scopes from resources.
Create, read, update, and delete sign-on policies.
Create, read, update, and delete sign-on policy assignments.
Read, update, and delete stores.
Read user’s target store sync status.
Create, read, update, and delete subscriptions.
Create, read, update, and delete themes.

Identity Data Admin

The Identity Data Admin role provides user permissions to perform the following PingOne API operations:

Assign Identity Data Read Only administrators
- If an Identity Data admin has both the full and read only roles assigned to them, they’ll see both roles assigned to themselves, and they’ll be able to assign both roles to other actors.
- If an Identity Data admin has only the full role assigned to them, they will not see the Identity Data Read Only role assigned to themselves. However, they will be able to assign the Identity Data Read Only role to other actors.

Read dashboards.
Read organizations.
Read environments.
Read populations
Read audit activity.
Read certificates.
Read deployment resources.
Create, read, and update credential issuer profiles.
Create, read, and update credential type or issue credential to user.
Create, read, update, and delete custom roles.
Read data exploration templates.
Create and read data exploration.
Perform direct LDAP operations through the LDAP gateway.
Create and read fraud evaluations.
Create and read fraud feedback.
Read fraud sessions.
Create, read, update, and delete groups.
Create, read, and delete group memberships.
Read identity provider information.
Create, read, and delete images.
Read licenses.
Create, read, and delete linked accounts for users.
Create pairing keys for users.
Read password policies.
Read and update PingID user integrations (services).
Read PingID user last activity.
Reset PingID users.
Read, update, reset PingOne Verify configurations.
Create, read, update, and delete PingOne Verify transactions.
Read and delete PingOne Verify verified user data.
Create predictions.
Read risk policies.
Read risk predictors.
Create, read, and update risk evaluations.
Read and update roles assigned to users.
Read schemas.
Unlock user account
Create, read, and delete user consent.
Validate user credentials using Kerberos.
Verify user using verification code.
Set user’s cleartext or pre-encoded password.
Create, read, update, delete user’s device.
Authenticate using user’s device.
Create, read, update, import, and delete users.
Update user’s enabled status
Update user’s identity provider
Update user’s MFA enabled status
Read and delete user’s pairing key information.
Read user’s password state.
Validate, recover, reset, and unlock user’s password.
Read and delete user’s sessions.
Read user’s target store sync status.
Update user’s verify status.
Read and delete user’s verified data.

Client Application Developer

The Client Application Developer role provides user permissions to perform the following PingOne API operations:

Read dashboards.
Read organizations.
Read environments.
Read groups.
Read populations.
Read certificates.
Read deployment resources.
Read keys.
Read licenses.
Read integrations in integration catalog.
Read flow definitions.
Read forms.
Read branding settings.
Read themes.
Read schemas.
Read sign-on policies.
Create, read, update, and delete application’s OIDC settings.
Read, update, and delete an application’s push credentials information.
Create, read, and update attributes in and delete attributes from resources.
Read data exploration templates.
Create and read data explorations.
Read and update identity provider information.
Create and delete identity providers.
Create, read, and delete images.
Create, read, update, and delete managed API servers.
Generate and read application’s client secret.
Create push credentials for application
Create, read, update, and delete single resource access grant for applications.
Read orchestration flow for Ping Enterprise deployments.
Read orchestration flow for Ping Intelligence deployments.
Read PingOne Advanced Services orchestrations.
Read reCAPTCHA V2 configuratipons.
Create, read, and update resources in environments and delete resources from environments.
Read and update roles assigned to applications.
Create, read, and update scopes in and delete scopes from resources.
Create, read, update, and delete sign-on policy assignments.

Identity Data Read Only

Identity Data Read Only admins have permissions to perform the following PingOne API operations:

Read audit activity.
Read certificates.
Read credential issuer profile.
Read credential type or issue credential to user.
Read custom roles.
Read dashboards.
Read data exploration template.
Read data explorations.
Read deployment resources.
Read environmentss
Read fraud evaluations.
Read fraud feedback.
Read fraud sessions.
Read group membership.
Read groups.
Read identity provider information.
Read images.
Read licenses.
Read linked accounts for users.
Read organizations.
Read password policies.
Read PingID user integrations (services).
Read PingID user last activity.
Read PingOne Verify configuration.
Read PingOne Verify transactions.
Read populations.
Read risk evaluations.
Read risk policies.
Read risk predictors.
Read roles assigned to users.
Read schemas.
Read user consent.
Read user’s device.
Read user’s pairing key information.
Read user’s password state.
Read user’s sessions.
Read user’s target store sync status.
Read users.

Configuration Read Only

Configuration Read Only admins have read permissions for the following PingOne API operations:

Read agreements.
Read alert channels.
Read application’s OIDC settings.
Read application’s push credentials information.
Read application’s client secret.
Read attributes from resources.
Read audit activity.
Read branding settings.
Read certificates.
Read custom domains.
Read custom roles.
Read dashboards.
Read data exploration templates.
Create data exploration.
Read data explorations.
Read decision of PingOne Authorize decision endpoint.
Read deployment resources.
Read device authentication policies.
Read email domains.
Read end user UI configurations.
Read environments.
Read external service secrets.
Read external services.
Read FIDO device metadata.
Read FIDO policies.
Read flow definitions.
Read forms.
Read fraud evaluations.
Read fraud feedback.
Read fraud sessions.
Read fraud SSO logins.
Read gateway role assignments.
Read gateways.
Read groups.
Read identity provider information.
Read images.
Read integration in integration catalog.
Read keys.
Read languages.
Read licenses.
Read managed API servers.
Read mappings.
Read MFA settings.
Read notification template’s content.
Read notification templates.
Read notifications policies.
Read notifications settings.
Read orchestration flow for Ping Enterprise deployment.
Read orchestration flow for Ping Intelligence deployment.
Read organizations.
Read password policies.
Read PingOne Advanced Services orchestration.
Read PingOne Authorize decision endpoint.
Read PingOne Authorize deployment packages.
Read PingOne Authorize entities.
Read PingOne Authorize policy version tags.
Read PingOne Authorize policy versions.
Read plans.
Read populations.
Read reCAPTCHA V2 configurations.
Read resources from environment.
Read risk policies.
Read risk predictors.
Read roles assigned to applications.
Read rules.
Read schemas.
Read scopes from resources.
Read sign-on policies.
Read sign-on policy assignments.
Read single resource access grant for an application.
Read stores.
Read subscriptions.
Read themes.
Read user’s target store sync status.

Automatic role assignments

Role assignments determine access to PingOne APIs. When an application or user creates a new PingOne resource over which roles can be assigned, they are assigned all possible roles that can be assigned for the environment or population. For example, if an actor creates a new environment, the actor receives the Environment Admin, Identity Data Admin, and the Client Application Developer roles over that new environment. If the actor already has an existing organization-level Environment Admin role, the Environment Admin role would not be assigned again to the actor. Likewise, if the actor creates a new population, the actor receives the Identity Data Admin role automatically (unless the actor already has that assigned role).

Users and applications cannot create actors that have more privileges than the user or application itself. For example, to create a user or an application that has Environment Admin privileges, the actor assigning roles must also have Environment Admin privileges. The actor (user or application) assigning roles must have the permissions that they are trying to assign. The requesting user or application must have the same (or broader) role assignments as the target actor’s role assignments.

When creating PingOne resources, the following roles are assigned to the actor automatically when these PingOne entities are created:

Environments

Environment Admin: Assigned for the created environment at the environment level, if the actor does not already have the Environment Admin role at the parent organization level.

Identity Data Admin: Assigned for the created environment at the environment level.

Client Application Developer: Assigned for the created environment at the environment level.
Populations

Identity Data Admin: Assigned for the created population at the population level, if the actor does not already have the Identity Data Admin role at the parent environment level.

Roles data model

Property	Description
`actor.id`	A string that specifies the ID of the actor.
`actor.environmentId`	A string that specifies the ID of the environment in which the actor exists.
`actor.type`	A string that specifies the type of the actor. Options are `users` and `clients`.
`description`	A string that specifies the description of the resource.
`environment.id`	A string that specifies the environment resource’s unique identifier associated with the resource.
`id`	A string that specifies the resource’s unique identifier.
`name`	A string that specifies the resource name.
`role.applicableTo`	A string that specifies the scope to which the role applies.
`role.description`	A string that specifies the description of the role.
`role.id`	A string that specifies the ID of the role.
`role.permissions`	A string that specifies the set of permissions assigned to the role.
`role.permissions.classifier`	A string that specifies the resource for which the permission is applicable.
`role.permissions.description`	A string that specifies the description of what the permission enables for the role.
`role.scope.id`	A string that specifies the ID of the role assignment scope.
`role.scope.type`	A string that specifies the type of resource defining the scope of the role assignment. Options are `PLATFORM`, `ORGANIZATION`, `ENVIRONMENT`, `POPULATION`, and `ACTOR`.
`type`	A string that specifies the type of resource. Options are `PLATFORM` and `CUSTOM`.

Response codes

Code	Message
200	Successful operation.
201	Successfully created.
204	Successfully removed. No content.
400	The request could not be completed.
401	You do not have access to this resource.
403	You do not have permissions or are not licensed to make this request.
404	The requested resource was not found.