--- title: PingOne Permissions by Resource description: Use this table when you're assigning admin roles to find the PingOne permissions based on the resource assignments. You'll also find the PingOne Permissions by Service table useful. component: pingone-api page_id: pingone-api:platform:reference/roles-and-permissions-in-pingone/permissions-by-resource canonical_url: https://developer.pingidentity.com/pingone-api/platform/reference/roles-and-permissions-in-pingone/permissions-by-resource.html --- # PingOne Permissions by Resource Use this table when you're assigning admin roles to find the PingOne permissions based on the resource assignments. You'll also find the [PingOne Permissions by Service](permissions-by-service.html) table useful. Refer to [PingOne Permissions by Identifier](pingone-permissions-by-identifier.html) for more information. The *Special* column indicates special handling of certain permissions: * **Essential**: Start building a new custom role with the minimum set of permissions needed for the role to be usable. * **Sensitive**: The permission either provides access to sensitive information, such as personal user data, or allows the bearer to perform important actions that could negatively impact the organization, such as deleting an environment. | Resource | Service | Permission | Special | | -------------------------------- | ----------------------- | ------------ | --------- | | activity | audit\_reporting | read | | | activity | pingid | read | | | adaptiveTrustPolicy | authz | create | | | adaptiveTrustPolicy | authz | read | | | adaptiveTrustPolicy | authz | update | | | adaptiveTrustPolicy | authz | delete | | | adaptiveTrustPolicyAssignment | authz | create | | | adaptiveTrustPolicyAssignment | authz | read | | | adaptiveTrustPolicyAssignment | authz | delete | | | adminConsole | privilege | access | | | adminConsole | privilege | read | | | agreement | agreements | create | | | agreement | agreements | read | | | agreement | agreements | update | | | agreement | agreements | delete | | | apiServer | authz | create | | | apiServer | authz | read | | | apiServer | authz | update | | | apiServer | authz | delete | | | apiServerDeployment | authz | deploy | | | apiServerDeployment | authz | read | | | apiUsage | visualization | read | | | application | applications | create | | | application | applications | import | | | application | applications | read | | | application | applications | update | | | application | applications | delete | | | application | p14e | admin | | | applicationEntitlement | applicationRoles | read | | | applicationPermission | applicationRoles | create | | | applicationPermission | applicationRoles | read | | | applicationPermission | applicationRoles | update | | | applicationPermission | applicationRoles | delete | | | applicationResource | applicationRoles | create | | | applicationResource | applicationRoles | read | | | applicationResource | applicationRoles | update | | | applicationResource | applicationRoles | delete | | | applicationRole | applicationRoles | create | | | applicationRole | applicationRoles | read | | | applicationRole | applicationRoles | update | | | applicationRole | applicationRoles | delete | | | applicationRoleAssignment | applicationRoles | create | | | applicationRoleAssignment | applicationRoles | read | | | applicationRoleAssignment | applicationRoles | delete | | | applicationRoleAssignments | permissions | read | | | applicationRoleAssignments | permissions | update | sensitive | | applicationRoleEntry | applicationRoles | create | | | applicationRoleEntry | applicationRoles | read | | | applicationRoleEntry | applicationRoles | delete | | | applications | davinci | create | | | applications | davinci | read | | | applications | davinci | update | | | applications | davinci | delete | | | attribute | resources | create | | | attribute | resources | read | | | attribute | resources | update | | | attribute | resources | delete | | | auditReport | p14e | admin | | | auditor | pingfederate | admin | | | authentication | visualization | read | | | authorizationAttribute | authz | create | | | authorizationAttribute | authz | read | | | authorizationAttribute | authz | test | | | authorizationAttribute | authz | update | | | authorizationAttribute | authz | delete | | | authorizationCondition | authz | create | | | authorizationCondition | authz | read | | | authorizationCondition | authz | test | | | authorizationCondition | authz | update | | | authorizationCondition | authz | delete | | | authorizationModule | authz | create | | | authorizationModule | authz | read | | | authorizationModule | authz | update | | | authorizationModule | authz | delete | | | authorizationPolicy | authz | create | | | authorizationPolicy | authz | read | | | authorizationPolicy | authz | test | | | authorizationPolicy | authz | update | | | authorizationPolicy | authz | delete | | | authorizationProcessor | authz | create | | | authorizationProcessor | authz | read | | | authorizationProcessor | authz | update | | | authorizationProcessor | authz | delete | | | authorizationRule | authz | create | | | authorizationRule | authz | read | | | authorizationRule | authz | test | | | authorizationRule | authz | update | | | authorizationRule | authz | delete | | | authorizationService | authz | create | | | authorizationService | authz | read | | | authorizationService | authz | test | | | authorizationService | authz | update | | | authorizationService | authz | delete | | | authorizationStatement | authz | create | | | authorizationStatement | authz | read | | | authorizationStatement | authz | update | | | authorizationStatement | authz | delete | | | authorizeDeployment | authz | read | | | bootstrap | bootstrap | create | | | bootstrap | bootstrap | read | | | branding | branding | update | | | branding | branding | delete | | | brandingSettings | branding | read | | | brandingSettings | branding | update | | | certificate | applications | issue | sensitive | | certificate | certmgt | create | sensitive | | certificate | certmgt | read | sensitive | | certificate | certmgt | update | sensitive | | certificate | certmgt | delete | sensitive | | channel | alerting | create | | | channel | alerting | read | | | channel | alerting | update | | | channel | alerting | delete | | | config | admin | read | | | config | admin | update | sensitive | | config | solutions | create | | | config | solutions | read | | | config | solutions | update | | | configs | enduseruiconfig | read | | | connection | osmosis | check | | | connectionSensitiveConfiguration | provisioning | get | | | connections | davinci | create | | | connections | davinci | read | | | connections | davinci | update | | | connections | davinci | delete | | | connectors | davinci | read | | | console | globalregistry | read | | | constructs | davinci | create | | | constructs | davinci | read | | | constructs | davinci | update | | | constructs | davinci | delete | | | createTestDevice | mfa | create | | | credentialSigningKey | credentialsIssuance | create | | | credentialSigningKey | credentialsIssuance | read | | | credentialSigningKey | credentialsIssuance | update | | | credentialSigningKey | credentialsIssuance | delete | | | credentialType | credentialsIssuance | create | | | credentialType | credentialsIssuance | read | | | credentialType | credentialsIssuance | update | | | credentialType | credentialsIssuance | delete | | | credentials | credentialsIssuance | create | | | credentials | credentialsIssuance | read | | | credentials | credentialsIssuance | update | | | credentials | credentialsIssuance | delete | | | crypto | pingfederate | admin | | | customDomain | branding | create | | | customDomain | branding | read | | | customDomain | branding | update | | | customDomain | branding | delete | | | dashboard | visualization | read | | | dataBasedIdentityVerification | idverifications | create | | | davinciMetrics | visualization | read | | | decisionendpoint | authz | authorize | | | decisionendpoint | authz | create | | | decisionendpoint | authz | read | | | decisionendpoint | authz | update | | | decisionendpoint | authz | delete | | | deployment | orgmgt | create | | | deployment | orgmgt | read | essential | | deploymentpackage | authz | read | | | device | mfa | authenticate | | | device | mfa | create | sensitive | | device | mfa | read | | | device | mfa | update | sensitive | | device | mfa | delete | sensitive | | device | p14e | admin | | | deviceAuthenticationPolicy | mfa | create | | | deviceAuthenticationPolicy | mfa | read | | | deviceAuthenticationPolicy | mfa | update | | | deviceAuthenticationPolicy | mfa | delete | | | deviceOwnershipVerification | idverifications | create | | | deviceRequirements | mfa | read | | | deviceRequirements | mfa | update | | | deviceRequirements | mfa | delete | | | digitalWallet | credentialsIssuance | create | | | digitalWallet | credentialsIssuance | read | | | digitalWallet | credentialsIssuance | update | | | digitalWallet | credentialsIssuance | delete | | | digitalWalletApplication | credentialsIssuance | create | | | digitalWalletApplication | credentialsIssuance | read | | | digitalWalletApplication | credentialsIssuance | update | | | digitalWalletApplication | credentialsIssuance | delete | | | directLdap | ldapGateway | execute | | | document | idverifications | create | | | document | idverifications | get | | | document | idverifications | update | | | document | idverifications | delete | | | dvFlows | davinci | create | | | dvFlows | davinci | deploy | | | dvFlows | davinci | read | | | dvFlows | davinci | update | | | dvFlows | davinci | delete | | | dvUsers | davinci | read | | | dvUsers | davinci | update | | | dvUsers | davinci | delete | | | emailDomain | notifications | create | | | emailDomain | notifications | read | | | emailDomain | notifications | update | | | emailDomain | notifications | delete | | | entity | authz | create | | | entity | authz | read | | | entity | authz | test | | | entity | authz | update | | | entity | authz | delete | | | environment | orgmgt | create | sensitive | | environment | orgmgt | promote | | | environment | orgmgt | read | essential | | environment | orgmgt | update | | | environment | orgmgt | delete | sensitive | | environmentLicense | licensing | update | | | environmentOverview | console | display | | | environmentProperties | console | display | | | evaluation | risk | create | | | evaluation | risk | read | | | evaluation | risk | update | | | evaluation | riskDetection | create | | | events | davinci | read | | | experience | experiences | create | | | experience | experiences | read | | | experience | experiences | update | | | experience | experiences | delete | | | exploration | visualization | create | | | exploration | visualization | read | | | expressions | pingfederate | admin | | | externalOAuthServer | authz | create | | | externalOAuthServer | authz | read | | | externalOAuthServer | authz | update | | | externalOAuthServer | authz | delete | | | externalService | externalServices | create | | | externalService | externalServices | invoke | | | externalService | externalServices | read | | | externalService | externalServices | update | | | externalService | externalServices | delete | | | features | earlyAccess | read | | | features | earlyAccess | update | | | feedback | risk | create | | | fidoDeviceMetadata | mfa | create | | | fidoDeviceMetadata | mfa | read | | | fidoDeviceMetadata | mfa | delete | | | fidoPolicy | mfa | create | | | fidoPolicy | mfa | read | | | fidoPolicy | mfa | update | | | fidoPolicy | mfa | delete | | | flow | solutions | read | | | flowPolicies | davinci | create | | | flowPolicies | davinci | read | | | flowPolicies | davinci | update | | | flowPolicies | davinci | delete | | | flowPolicy | flowPolicies | read | | | flowPolicyAssignment | applications | create | | | flowPolicyAssignment | applications | read | | | flowPolicyAssignment | applications | update | | | flowPolicyAssignment | applications | delete | | | flowVersions | davinci | export | | | flowVersions | davinci | read | | | flowVersions | davinci | revert | | | flowVersions | davinci | update | | | flowVersions | davinci | delete | | | form | formBuilder | create | | | form | formBuilder | read | | | form | formBuilder | update | | | form | formBuilder | delete | | | gateway | gateways | create | | | gateway | gateways | read | | | gateway | gateways | update | | | gateway | gateways | delete | | | gatewayRoleAssignments | permissions | read | | | gatewayRoleAssignments | permissions | update | sensitive | | gatewayRoleAssignments | permissions | delete | sensitive | | global | p14e | admin | | | grant | applications | create | | | grant | applications | read | | | grant | applications | update | | | grant | applications | delete | | | group | dir | create | | | group | dir | read | | | group | dir | update | | | group | dir | delete | | | groupMembership | dir | create | | | groupMembership | dir | read | | | groupMembership | dir | delete | | | groupSyncedRules | dir | read | | | identityProvider | identityProviders | create | | | identityProvider | identityProviders | read | | | identityProvider | identityProviders | update | | | identityProvider | identityProviders | delete | | | identityRecordMatching | idverifications | create | | | identityRepository | p14e | admin | | | image | image | create | | | image | image | read | | | image | image | delete | | | inboundTrafficPolicy | traffic | create | | | inboundTrafficPolicy | traffic | read | | | inboundTrafficPolicy | traffic | update | | | inboundTrafficPolicy | traffic | delete | | | ingressSettings | traffic | read | | | ingressSettings | traffic | update | | | integration | integrations | read | | | integration | pingid | read | | | integration | pingid | update | | | interactionEvents | davinci | read | | | issuanceRule | credentialsIssuance | create | | | issuanceRule | credentialsIssuance | read | | | issuanceRule | credentialsIssuance | update | | | issuanceRule | credentialsIssuance | delete | | | issuerProfile | credentialsIssuance | create | | | issuerProfile | credentialsIssuance | read | | | issuerProfile | credentialsIssuance | update | | | kerberos | ldapGateway | validate | | | key | certmgt | create | sensitive | | key | certmgt | read | | | key | certmgt | update | sensitive | | key | certmgt | delete | sensitive | | krp | certmgt | create | | | krp | certmgt | read | | | krp | certmgt | update | | | krp | certmgt | delete | | | language | langmgt | create | | | language | langmgt | read | | | language | langmgt | update | | | language | langmgt | delete | | | license | licensing | read | essential | | mapping | osmosis | read | | | mapping | osmosis | update | | | mapping | osmosis | delete | | | mfaSettings | mfa | read | | | mfaSettings | mfa | update | | | mfaSettings | mfa | delete | | | migration | pingid | execute | | | migration | pingid | read | | | migration | pingid | validate | | | mutableProperties | licensing | update | | | notification | notifications | create | | | notificationsPolicy | notifications | create | | | notificationsPolicy | notifications | read | | | notificationsPolicy | notifications | update | | | notificationsPolicy | notifications | delete | | | notificationsSettings | notifications | read | | | notificationsSettings | notifications | update | | | notificationsSettings | notifications | delete | | | oathJob | mfa | read | | | oathToken | mfa | create | | | oathToken | mfa | read | | | oathToken | mfa | update | | | oathToken | mfa | delete | | | oauthConsent | agreements | create | | | oauthConsent | agreements | read | | | oauthConsent | agreements | update | | | onboardingToken | privilege | create | | | openid4vciOffer | credentialsIssuance | create | | | openid4vciOffer | credentialsIssuance | read | | | orchestration | identitycloud | create | | | orchestration | identitycloud | update | | | orchestration | pingenterprise | create | | | orchestration | pingenterprise | read | | | orchestration | pingenterprise | update | | | orchestration | pingenterprise | delete | | | orchestration | pingintelligence | create | | | orchestration | pingintelligence | read | | | orchestration | pingintelligence | update | | | orchestration | pingintelligence | delete | | | organization | orgmgt | read | essential | | pairingKey | mfa | create | | | pairingKey | mfa | read | | | pairingKey | mfa | update | | | pairingKey | mfa | delete | | | passwordPolicy | dir | create | | | passwordPolicy | dir | read | | | passwordPolicy | dir | update | | | passwordPolicy | dir | delete | | | plan | osmosis | read | | | plan | osmosis | update | | | plan | osmosis | delete | | | policy | risk | create | | | policy | risk | read | | | policy | risk | update | | | policy | risk | delete | | | population | dir | create | | | population | dir | read | | | population | dir | update | | | population | dir | delete | | | prediction | prediction | create | | | predictor | risk | create | | | predictor | risk | read | | | predictor | risk | update | | | predictor | risk | delete | | | presentationSession | credentialsVerification | create | | | presentationSession | credentialsVerification | read | | | presentationSession | credentialsVerification | delete | | | promotion | promotion | create | sensitive | | promotion | promotion | execute | sensitive | | promotion | promotion | read | sensitive | | promotion | promotion | delete | sensitive | | promotionConfiguration | promotion | read | sensitive | | promotionConfiguration | promotion | update | sensitive | | promotionVariable | promotion | create | sensitive | | promotionVariable | promotion | read | sensitive | | promotionVariable | promotion | update | sensitive | | promotionVariable | promotion | delete | sensitive | | provisioning | visualization | read | | | provisioningSyncOrchestration | provisioning | create | | | provisioningSyncOrchestration | provisioning | update | | | pushCredentials | applications | create | | | pushCredentials | applications | read | | | pushCredentials | applications | update | | | pushCredentials | applications | delete | | | quota | notifications | read | | | rateLimitConfigs | ratelimiting | create | | | rateLimitConfigs | ratelimiting | read | | | rateLimitConfigs | ratelimiting | update | | | rateLimitConfigs | ratelimiting | delete | | | rateLimits | ratelimiting | read | | | recaptchaV2Config | formBuilder | read | | | recaptchaV2Config | formBuilder | update | | | recaptchaV2Config | formBuilder | delete | | | recentdecisions | authz | read | | | referenceData | idverifications | get | | | referenceData | idverifications | delete | | | resource | resources | create | | | resource | resources | import | | | resource | resources | read | | | resource | resources | update | | | resource | resources | delete | | | revision | osmosis | create | | | revision | osmosis | get | | | riskSettings | risk | read | | | riskSettings | risk | update | | | roles | permissions | create | sensitive | | roles | permissions | read | sensitive | | roles | permissions | update | sensitive | | roles | permissions | delete | sensitive | | rule | osmosis | read | | | rule | osmosis | update | | | rule | osmosis | delete | | | saas | p14e | admin | | | schema | dir | read | | | schema | dir | update | | | schema | dir | delete | | | schema | scim | read | | | scope | resources | create | | | scope | resources | read | | | scope | resources | update | | | scope | resources | delete | | | secret | applications | read | sensitive | | secret | applications | set | sensitive | | secret | applications | update | sensitive | | secret | applications | delete | sensitive | | secret | resources | read | sensitive | | secret | resources | set | sensitive | | secret | resources | update | sensitive | | secret | resources | delete | sensitive | | secrets | externalServices | read | | | secrets | externalServices | update | | | seenDevice | devices | create | | | seenDevice | devices | read | | | seenDevice | devices | update | | | seenDevice | devices | delete | | | serviceUser | p14e | admin | | | session | radiusGateway | read | | | sessions | authn | create | | | sessions | authn | read | | | sessions | authn | update | | | sessions | authn | delete | | | settings | davinci | read | | | settings | davinci | update | | | signOnPolicy | authn | create | | | signOnPolicy | authn | read | | | signOnPolicy | authn | update | | | signOnPolicy | authn | delete | | | signOnPolicyAssignment | applications | create | | | signOnPolicyAssignment | applications | read | | | signOnPolicyAssignment | applications | update | | | signOnPolicyAssignment | applications | delete | | | snapshot | promotion | create | sensitive | | snapshot | promotion | read | sensitive | | snapshot | promotion | update | sensitive | | snapshot | promotion | delete | sensitive | | stagedChanges | credentialsIssuance | read | | | stagedChanges | credentialsIssuance | update | | | stats | davinci | read | | | store | osmosis | read | | | store | osmosis | update | | | store | osmosis | delete | | | subscription | subscriptions | create | | | subscription | subscriptions | read | | | subscription | subscriptions | test | | | subscription | subscriptions | update | | | subscription | subscriptions | delete | | | superadmin | identitycloud | admin | | | support | p14e | admin | | | system | pingfederate | admin | | | tag | authz | read | | | tag | authz | update | | | tag | authz | delete | | | template | notifications | read | | | template | visualization | read | | | templateContent | notifications | create | | | templateContent | notifications | read | | | templateContent | notifications | update | | | templateContent | notifications | delete | | | tenantadmin | identitycloud | admin | | | theme | branding | create | | | theme | branding | read | | | theme | branding | update | | | theme | branding | delete | | | token | solutions | read | | | uiTemplates | davinci | create | | | uiTemplates | davinci | read | | | uiTemplates | davinci | update | | | uiTemplates | davinci | delete | | | update | p14e | admin | | | user | dir | create | | | user | dir | import | | | user | dir | invite | | | user | dir | read | | | user | dir | update | | | user | dir | verify | | | user | dir | delete | | | user | ldapGateway | read | | | user | scim | create | | | user | scim | read | | | user | scim | update | | | user | scim | delete | | | userAccount | dir | lock | | | userAccount | dir | unlock | | | userConsent | agreements | create | | | userConsent | agreements | read | | | userConsent | agreements | update | | | userConsent | agreements | delete | | | userDemographics | visualization | read | | | userEnabled | dir | update | | | userIdentityAssurance | dir | delete | | | userIdentityProvider | dir | update | | | userLinkedAccounts | dir | create | | | userLinkedAccounts | dir | read | | | userLinkedAccounts | dir | delete | | | userMfaBypass | dir | update | | | userMfaEnabled | dir | update | | | userPassword | dir | forceChange | sensitive | | userPassword | dir | read | | | userPassword | dir | recover | sensitive | | userPassword | dir | reset | sensitive | | userPassword | dir | set | sensitive | | userPassword | dir | unlock | sensitive | | userPassword | dir | validate | | | userPassword | ldapGateway | validate | | | userProfile | risk | reset | | | userQuota | notifications | reset | | | userRoleAssignments | permissions | read | | | userRoleAssignments | permissions | update | sensitive | | userSeenDevice | devices | create | | | userSeenDevice | devices | read | | | userSeenDevice | devices | update | | | userSeenDevice | devices | delete | | | userSyncedStores | dir | read | | | userVerifyStatus | dir | update | | | users | pingfederate | admin | | | verifiedUserData | idverifications | get | | | verifiedUserData | idverifications | update | | | verifiedUserData | idverifications | delete | | | verifyPolicy | idverifications | create | | | verifyPolicy | idverifications | read | | | verifyPolicy | idverifications | update | | | verifyPolicy | idverifications | delete | | | verifyTransactions | idverifications | create | | | verifyTransactions | idverifications | read | | | verifyTransactions | idverifications | update | | | verifyTransactions | idverifications | delete | | | version | authz | read | | | voicePhrase | idverifications | create | | | voicePhrase | idverifications | read | | | voicePhrase | idverifications | update | | | voicePhrase | idverifications | delete | | | voicePhraseContent | idverifications | create | | | voicePhraseContent | idverifications | read | | | voicePhraseContent | idverifications | update | | | voicePhraseContent | idverifications | delete | |