PingOne Platform APIs

Control access to applications through roles and groups

The applications data model includes optional accessControl properties that, when set, specify the conditions that must be met by an authenticating actor to access the application. The application properties that control application access are:

  • accessControl.role.type

    This property specifies that an administrator role is required to access the application. When set, the only option for this property is ADMIN_USERS_ONLY, which means that the actor must be assigned at least one or more of the following administrator roles: Organization Admin, Environment Admin, Identity Data Admin, or Client Application Developer. For more information about roles, refer to Roles in the PingOne Platform API Reference. If this property is not set, access to the application is not restricted by administrator roles.

  • accessControl.group.type

    This property specifies that the actor must be associated with a particular group (or groups) to access the application. When set, this property can be set to ANY_GROUP, which means that the actor must be a member of at least one group specified in the accessControl.group.groups property. This property can also be set to ALL_GROUPS, which means that the actor must belong to all groups specified in the accessControl.group.groups property. If this property is not set, access to the application is not restricted by groups.

  • accessControl.group.groups

    This property specifies a list of one or more groups that control access to the application. If there is more than one group, then the actor must belong to at least one group (if ANY_GROUP is the value of accessControl.group.type) or all groups (if ALL_GROUPS is the value of accessControl.group.type). If this property is not set, access to the application is not restricted by groups.

Application access control for OpenID Connect applications

When accessControl properties are set for an application, the authenticating actor must meet the requirements specified in the application’s accessControl properties to get a token.

To implement role-based application access control:

  1. Set the accessControl.role.type property value to ADMIN_USERS_ONLY.

  2. Ensure that the authenticating actor has at least one assigned administrator role.

If the actor has an assigned administrator role, a token is issued that allows access to the application.

To implement group-based application access control:

  1. Set the accessControl.group.type and accessControl.group.groups properties. (If you set one of the application’s access control group properties, you must set the other.)

  2. Set the property value for the accessControl.group.type. The options are ANY_GROUP and ALL_GROUPS.

  3. Set the accessControl.group.groups property value to list the group IDs to which an actor must belong. For information about obtaining group IDs, refer to Groups in the PingOne Platform API Reference.

If the actor belongs to at least one group (for the ANY_GROUP type), or all groups (for the ALL_GROUPS type), a token is issued that allows access to the application.

For OIDC applications, if the grant_type is either authorization_code or implicit, then the application’s accessControl conditions are evaluated to determine whether the user can be issued a token. If the user already has an access token, application access conditions are not evaluated to refresh token or to token introspection operations.

Application access control for SAML applications

When accessControl properties are set for a SAML application, the authenticating actor must meet the requirements specified in the application’s accessControl properties to get an assertion. The steps to define the accessControl properties for role-based and group-based conditions are the same as for OIDC applications. If the authenticating actor meets the the application’s access control conditions, an assertion is created. If the conditions are not met, a sign-on attempt returns an authorization failed error.