The ability to perform an action using PingOne APIs is determined by roles. For example, when you initiate a request to a PingOne endpoint, you must have the permissions required by the endpoint to execute the request.
Admin permissions
Admin permissions in PingOne are associated with the following roles:
Organization Admin
The Organization Admin role provides user permissions to perform the following PingOne API operations:
- Read organization resources.
- Create, read, update, delete, and promote environment resources.
- Read license resources and update a license’s mutable properties.
Environment Admin
The Environment Admin role provides user permissions to perform the following PingOne API operations:
- Assign Configuration Read Only administrators
- If an Environment admin has both the full and read only roles assigned to them, they’ll see both roles assigned to themselves, and they’ll be able to assign both roles to other actors.
- If an Environment admin has only the full role assigned to them, they will not see the Configuration Read Only role assigned to themselves. However, they will be able to assign the Configuration Read Only role to other actors.
- Read and promote environments
- Read license resources
- Read, create, update, and delete population resources
- Read organization resources
- Read and update password policy resources
- Read and create notifications resources and email resources
- Update and delete branding resources
- Read audit reporting activities resources
- Read, create, update, and delete sign-on policy resources
- Read and update schema resources
- Read, update, and delete mapping resources
- Read and update application role assignments resources
- Read, create, update, and delete application (client) resources
- Read and update an application’s client_secret resources
- Read, create, update, and delete application grant resources
- Read, create, update, and delete application attribute resources
- Read, create, update, and delete application role assignments resources
- Read, create, update, and delete application sign-on policy assignments resources
- Read, create, update, and delete application push credentials resources
- Read, create, update, and delete certificate and key resources
- Read, create, update, and delete identity provider resources
- Read, create, update, and delete resource entity resources
- Read, create, update, and delete resource scope resources
- Read, create, update, and delete risk policy set resources
Configuration Read Only Admins
Configuration Read Only admins have read permissions for the following PingOne API operations:
- Read environments
- Read license resources
- Read population resources
- Read organization resources
- Read password policy resources
- Read annotifications resources and email resources
- Read audit reporting activities resources
- Read sign-on policy resources
- Read schema resources
- Read mapping resources
- Read application role assignments resources
- Read application (client) resources
- Read an application’s client_secret resources
- Read application grant resources
- Read application attribute resources
- Read application role assignments resources
- Read application sign-on policy assignments resources
- Read application push credentials resources
- Read certificate and key resources
- Read identity provider resources
- Read resource entity resources
- Read resource scope resources
- Read risk policy set resources
Identity Data Admin
The Identity Data Admin role provides user permissions to perform the following PingOne API operations:
- Assign Identity Data Read Only administrators
- If an Identity Data admin has both the full and read only roles assigned to them, they’ll see both roles assigned to themselves, and they’ll be able to assign both roles to other actors.
- If an Identity Data admin has only the full role assigned to them, they will not see the Identity Data Read Only role assigned to themselves. However, they will be able to assign the Identity Data Read Only role to other actors.
- Read, create, update, and delete user resources
- Read, create, update, and delete user role assignments resources
- Read, create, update, and delete device management resources
- Read and delete linked accounts resources
- Read, create, update, and delete pairing key resources
- Read user role assignments
- Assign identity resources
- Read license resources
- Read certificate resources
- Update user password resources
- Read user password state resources
- Read password policy resources
- Read audit reporting activities resources
- Read schema resources
- Read, create, update, and delete risk evaluation resources
Identity Data Read Only Admin
Identity Data Read Only admins have permissions to perform the following PingOne API operations:
- Read user resources
- Read user role assignments resources
- Read device management resources
- Read linked accounts resources
- Read pairing key resources
- Read user role assignments
- Read license resources
- Read certificate resources
- Read user password state resources
- Read password policy resources
- Read audit reporting activities resources
- Read schema resources
- Read risk evaluation resources
Client Application Developer
The Client Application Developer role provides user permissions to perform the following PingOne API operations:
- Read, create, update, and delete application (client) resources
- Read and update an application’s client_secret resources
- Read, create, update, and delete application grant resources
- Read, create, update, and delete application attribute resources
- Read, create, update, and delete application role assignments resources
- Read, create, update, and delete application sign-on policy assignments resources
- Read, create, update, and delete application push credentials resources
- Read, create, update, and delete resource entity resources
- Read, create, update, and delete scope resources
- Read, create, update, and delete identity provider resources
- Read schema resources
- Read organization resources
Automatic role assignments
Role assignments determine access to PingOne APIs. When an application or user creates a new PingOne resource over which roles can be assigned, they are assigned all possible roles that can be assigned for the environment or population. For example, if an actor creates a new environment, the actor receives the Environment Admin, Identity Data Admin, and the Client Application Developer roles over that new environment. If the actor already has an existing organization-level Environment Admin role, the Environment Admin role would not be assigned again to the actor. Likewise, if the actor creates a new population, the actor receives the Identity Data Admin role automatically (unless the actor already has that assigned role).
Users and applications cannot create actors that have more privileges than the user or application itself. For example, to create a user or an application that has Environment Admin privileges, the actor assigning roles must also have Environment Admin privileges. The actor (user or application) assigning roles must have the permissions that they are trying to assign. The requesting user or application must have the same (or broader) role assignments as the target actor’s role assignments.
When creating PingOne resources, the following roles are assigned to the actor automatically when these PingOne entities are created:
-
Environments
Environment Admin: Assigned for the created environment at the environment level, if the actor does not already have the Environment Admin role at the parent organization level.
Identity Data Admin: Assigned for the created environment at the environment level.
Client Application Developer: Assigned for the created environment at the environment level.
-
Populations
Identity Data Admin: Assigned for the created population at the population level, if the actor does not already have the Identity Data Admin role at the parent environment level.
Roles data model
| Property |
Description |
actor.id |
A string that specifies the ID of the actor. |
actor.environmentId |
A string that specifies the ID of the environment in which the actor exists. |
actor.type |
A string that specifies the type of the actor. Options are users and clients. |
description |
A string that specifies the description of the resource. |
environment.id |
A string that specifies the environment resource’s unique identifier associated with the resource. |
id |
A string that specifies the resource’s unique identifier. |
name |
A string that specifies the resource name. |
role.applicableTo |
A string that specifies the scope to which the role applies. |
role.description |
A string that specifies the description of the role. |
role.id |
A string that specifies the ID of the role. |
role.permissions |
A string that specifies the set of permissions assigned to the role. |
role.permissions.classifier |
A string that specifies the resource for which the permission is applicable. |
role.permissions.description |
A string that specifies the description of what the permission enables for the role. |
role.scope.id |
A string that specifies the ID of the role assignment scope. |
role.scope.type |
A string that specifies the type of resource defining the scope of the role assignment. Options are PLATFORM, ORGANIZATION, ENVIRONMENT, POPULATION, and ACTOR. |
type |
A string that specifies the type of resource. Options are PLATFORM and CUSTOM. |
Response codes
| Code |
Message |
| 200 |
Successful operation. |
| 201 |
Successfully created. |
| 204 |
Successfully removed. No content. |
| 400 |
The request could not be completed. |
| 401 |
You do not have access to this resource. |
| 403 |
You do not have permissions or are not licensed to make this request. |
| 404 |
The requested resource was not found. |