--- title: Application Permissions description: The PingOne Authorize application resources and roles service provides endpoints to define custom roles and permissions within PingOne to protect external application resources. component: pingone-api page_id: pingone-api:authorize:application-permissions canonical_url: https://developer.pingidentity.com/pingone-api/authorize/application-permissions.html --- # Application Permissions The PingOne Authorize application resources and roles service provides endpoints to define custom roles and permissions within PingOne to protect external application resources. To create and manage application roles and permissions, see: * [View application resources](application-permissions/application-resources.html) Provides endpoints to list the representations of external applications in PingOne. For create, update, and delete operations for application resources, refer to [Application resources](application-permissions/application-resources.html). * [Application resource permissions](application-permissions/application-resource-permissions.html) Provides endpoints to define and manage permissions on the application resource. * [Application roles](application-permissions/application-roles.html) Provides endpoints to define and manage application roles in PingOne. Roles contain application permissions. Application roles can be assigned to PingOne users. * [Application role permissions](application-permissions/application-role-permissions.html) Provides endpoints to define and manage access control permissions, expected to be defined by a customer application developer. An application permission is comprised of an action and a protected resource, such as `read:accounts`. When a permission is added to a role, it creates a role entry. A subject assigned to a role is authorized for the permissions represented by the role's entries. * [Application role assignments by role](application-permissions/application-role-assignments.html) Provides an endpoint to read application role assignments by role. The endpoint specifies a role ID in the request URL and the operation returns the role assignments associated with the identified role. * [User application role assignments](../platform/users/user-application-role-assignments.html) Provides endpoints to define and manage application role assignments associated with user resources.