PingOne Platform APIs

PingOne Permissions by Identifier

A permission identifier is a three-part, colon-delimited string that represents the category, action, and resource to which the permission applies.

The Special column indicates special handling of certain permissions:

  • Essential: Start building a new custom role with the minimum set of permissions needed for the role to be usable.

  • Sensitive: The permission either provides access to sensitive information, such as personal user data, or allows the bearer to perform important actions that could negatively impact the organization, such as deleting an environment.

Identifier Permission Special

licensing:read:license

Read license information for the organization.

essential

orgmgt:read:deployment

Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.

essential

orgmgt:read:environment

Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.

essential

orgmgt:read:organization

Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.

essential

admin:update:config

Update the administrator security settings used for accessing the admin console.

sensitive

applications:issue:certificate

Issue a new KDC certificate

sensitive

applications:read:secret

Read the client secret for an application. Client secrets are used to authenticate an application with PingOne.

sensitive

applications:update:secret

Create a new client secret for an application. Client secrets are used to authenticate an application with PingOne.

sensitive

applications:delete:secret

Revoke the previous client secret for an application before it expires. Client secrets are used to authenticate an application with PingOne and can be revoked when a new secret is generated.

sensitive

certmgt:create:certificate

Create a certificate. Certificates are security credentials that PingOne uses for encryption and signing.

sensitive

certmgt:read:certificate

Read the metadata for a certificate and export the certificate as an X509 certificate. Certificates are security credentials that PingOne uses for encryption and signing.

sensitive

certmgt:update:certificate

Update a certificate. Updates include making a certificate default and reassigning a certificate to an application. Certificates are security credentials that PingOne uses for encryption and signing.

sensitive

certmgt:delete:certificate

Delete a certificate. Certificates are security credentials that PingOne uses for encryption and signing.

sensitive

certmgt:create:key

Create a new key pair. Key pairs are security credentials that PingOne uses for encryption and signing.

sensitive

certmgt:update:key

Update a key pair. Updates include making a key pair default and reassigning a key pair to an application. Key pairs are security credentials that PingOne uses for encryption and signing.

sensitive

certmgt:delete:key

Delete a key pair. Key pairs are security credentials that PingOne uses for encryption and signing.

sensitive

dir:forceChange:userPassword

Force a user to change their password the next time they sign on. The password state is MUST_CHANGE_PASSWORD.

sensitive

dir:recover:userPassword

Reset a user’s password using a recovery code. Send a recovery code.

sensitive

dir:reset:userPassword

Reset a user’s password without requiring a recovery code.

sensitive

dir:set:userPassword

Set a user’s clear text or pre-encoded password and set a user’s password authority.

sensitive

dir:unlock:userPassword

Unlock a user’s password. The password state is PASSWORD_LOCKED_OUT.

sensitive

mfa:create:device

Create an MFA device.

sensitive

mfa:update:device

Update an MFA device.

sensitive

mfa:delete:device

Delete an MFA device.

sensitive

orgmgt:create:environment

Create an environment to include a set of services and capabilities. Define the name and description, and include license information. Environments are the primary subdivision of an organization.

sensitive

orgmgt:delete:environment

Delete an environment and all of its associated resources, such as applications, users, and branding. Environments are the primary subdivision of an organization.

sensitive

permissions:update:applicationRoleAssignments

Assign or revoke admin roles for an application scope. Roles are used by worker applications only.

sensitive

permissions:update:gatewayRoleAssignments

Add roles and the associated permissions associated with a gateway scope. The gateway scope defines the attributes that can be accessed in the external LDAP directory.

sensitive

permissions:delete:gatewayRoleAssignments

Remove roles and the associated permissions associated with a gateway scope. The gateway scope defines the attributes that can be accessed in the external LDAP directory.

sensitive

permissions:create:groupRoleAssignments

Assign an admin role to a group.

sensitive

permissions:delete:groupRoleAssignments

Remove an admin role from a group.

sensitive

permissions:create:roles

Create a custom role for the environment.

sensitive

permissions:read:roles

Read a list of custom roles for the environment.

sensitive

permissions:update:roles

Update the permissions that are included in a custom role for the environment.

sensitive

permissions:delete:roles

Remove a custom role from the environment.

sensitive

permissions:update:userRoleAssignments

Update admin roles that are assigned to a user, including the role permissions.

sensitive

promotion:create:promotion

Start the promotion of configuration details from one environment to another. This permission is required in the source environment and 'Execute promotion' is required in the target environment.

sensitive

promotion:execute:promotion

Promote the environment resource configuration from one environment to another. This permission is required in the target environment and 'Create promotion' is required in the source environment.

sensitive

promotion:read:promotion

Read environment promotion details, such as which environment resources were promoted from one environment to another.

sensitive

promotion:delete:promotion

Cancel an in-progress environment promotion. Environment promotions are the transfer of configuration details from one environment to another.

sensitive

promotion:read:promotionConfiguration

Read environment-specific configuration data for promotion. Environment promotion ensures the smooth transition of configuration data between environments.

sensitive

promotion:update:promotionConfiguration

Create or update environment-specific configuration data for promotion. Environment promotion ensures the smooth transition of configuration data between environments.

sensitive

promotion:create:promotionVariable

Create environment promotion variables. Promotion variables are used to define attributes that must have different values in different environments.

sensitive

promotion:read:promotionVariable

Read environment promotion variables. Promotion variables are used to define attributes that must have different values in different environments.

sensitive

promotion:update:promotionVariable

Update the values of promotion variables. Promotion variables are used to define attributes that must have different values in different environments.

sensitive

promotion:delete:promotionVariable

Delete environment promotion variables. Promotion variables are used to define attributes that must have different values in different environments.

sensitive

promotion:create:snapshot

Create snapshots of environment resources. A snapshot is a record of the configuration for the asset at a specific point in time.

sensitive

promotion:read:snapshot

Read snapshots of environment resources. A snapshot is a record of the configuration for the resource at a specific point in time.

sensitive

promotion:update:snapshot

Update snapshots of environment resources. A snapshot is a record of the configuration for the resource at a specific point in time.

sensitive

promotion:delete:snapshot

Delete snapshots of environment resources. A snapshot is a record of the configuration for the resource at a specific point in time.

sensitive

resources:read:secret

Read the client secret for a resource. Client secrets are used to authenticate a resource with PingOne.

sensitive

resources:update:secret

Create a new client secret for a resource. Client secrets are used to authenticate a resource with PingOne.

sensitive

resources:delete:secret

Revoke the previous client secret for an application resource before it expires. Client secrets are used to authenticate a resource with PingOne and can be revoked when a new secret is generated.

sensitive

admin:read:config

Read the administrator security settings used for accessing the admin console.

agreements:create:agreement

Create an agreement that users must consent to as part of an authentication policy or flow.

agreements:read:agreement

Read agreements that users must consent to as part of an authentication policy or flow.

agreements:update:agreement

Update an agreement that users must consent to as part of an authentication policy or flow.

agreements:delete:agreement

Delete an agreement that users must consent to as part of an authentication policy or flow.

agreements:create:oauthConsent

Create a record of the user’s consent to share their information with an OAuth application during an authentication flow.

agreements:read:oauthConsent

Read the OAuth consent history for a user.

agreements:update:oauthConsent

Update the recorded date for the user’s consent to an OAuth application request for personal information during an authentication flow.

agreements:create:userConsent

Consent to an agreement on behalf of a particular user.

agreements:read:userConsent

Read the consent history for a user, including agreement names, language, and date of consent.

agreements:update:userConsent

Require a user to re-consent to an agreement when the agreement has been updated.

agreements:delete:userConsent

Delete consent to an agreement on behalf of a particular user.

alerting:create:channel

Create an alert channel to define the types of events that will trigger an alert and to list email addresses where the alerts will be sent.

alerting:read:channel

Read alert channels to view the types of events that will trigger an alert and the list of email addresses where the alerts will be sent.

alerting:update:channel

Update an alert channel to change the types of events that will trigger an alert or to change the email addresses where the alerts will be sent.

alerting:delete:channel

Delete an alert channel to stop sending alerts about events to a list of email addresses.

applicationRoles:read:applicationEntitlement

Query a user’s entitled application permissions, which control the actions the user can take in applications and APIs. Application permissions are defined on resources and assigned through application roles.

applicationRoles:create:applicationPermission

Create permissions that represent actions that can be taken on resources in external applications.

applicationRoles:read:applicationPermission

List application permissions and read permission details, including permission descriptions, actions, and resources.

applicationRoles:update:applicationPermission

Update details for application permissions, including permission actions and descriptions.

applicationRoles:delete:applicationPermission

Delete application permissions.

applicationRoles:create:applicationResource

Create resources that represent protected features in external applications.

applicationRoles:read:applicationResource

List application resources and read resource details, including resource names and descriptions.

applicationRoles:update:applicationResource

Update details for application resources, including resource names and descriptions.

applicationRoles:delete:applicationResource

Delete application resources.

applicationRoles:create:applicationRole

Create roles that group permissions for external applications by function.

applicationRoles:read:applicationRole

List application roles and read role details, including role names and descriptions.

applicationRoles:update:applicationRole

Update details for application roles, including role names and descriptions.

applicationRoles:delete:applicationRole

Delete application roles.

applicationRoles:create:applicationRoleAssignment

Assign application roles to users to grant the associated permissions for actions in external applications.

applicationRoles:read:applicationRoleAssignment

Read application roles that are assigned to a user, including the role permissions.

applicationRoles:delete:applicationRoleAssignment

Remove application role assignments from users to revoke the associated permissions for actions in external applications.

applicationRoles:create:applicationRoleEntry

Add permissions for external applications to application roles.

applicationRoles:read:applicationRoleEntry

List permissions for an application role.

applicationRoles:delete:applicationRoleEntry

Delete permissions from application roles.

applications:create:application

Create an application in the environment.

applications:read:application

Read the settings for an application in the environment.

applications:update:application

Update the settings for an application in the environment.

applications:delete:application

Delete an application from the environment.

applications:create:flowPolicyAssignment

Assign DaVinci policies to PingOne applications. When assigned, a DaVinci policy controls which DaVinci flow a PingOne application uses for authentication.

applications:read:flowPolicyAssignment

Read the assigned DaVinci policies for any PingOne application.

applications:update:flowPolicyAssignment

Update the policy order for DaVinci policies assigned to PingOne applications. A PingOne application applies policies in their listed order from top to bottom.

applications:delete:flowPolicyAssignment

Unassign DaVinci policies from PingOne applications. When unassigned, a DaVinci policy no longer has control over the authentication experience for the PingOne application.

applications:create:grant

Assign a resource scope to an application. Resource scopes define application access to user details, such as name and email address.

applications:read:grant

Read the resource scope that is assigned to an application. Resource scopes define application access to user details, such as name and email address.

applications:update:grant

Change the resource scopes that are assigned to an application. Resource scopes define application access to user details, such as name and email address.

applications:delete:grant

Delete an assigned resource scope from an application. Resource scopes define application access to user details, such as name and email address.

applications:create:pushCredentials

Create push credentials for a mobile application.

applications:read:pushCredentials

Read push credentials for a mobile application.

applications:update:pushCredentials

Update push credentials for a mobile application.

applications:delete:pushCredentials

Delete push credentials for a mobile application.

applications:create:signOnPolicyAssignment

Assign an authentication policy that defines the sign-on requirements used to access an application.

applications:read:signOnPolicyAssignment

Read authentication policies that are assigned to an application. Authentication policies define the sign-on requirements used to access an application.

applications:update:signOnPolicyAssignment

Update the authentication policy that is assigned to an application to change the sign-on requirements used to access an application.

applications:delete:signOnPolicyAssignment

Delete an assigned authentication policy from an application. Authentication policies define the sign-on requirements used to access an application.

audit_reporting:read:activity

Access to the audit report and event content including PII.

authn:create:sessions

Create a session for a user when they complete authentication during sign-on.

authn:read:sessions

Read all sessions for a particular user.

authn:update:sessions

Update a user session when the authentication process or API request has a valid session ID cookie.

authn:delete:sessions

Delete a recent user session to sign the user out of PingOne. For example, you can delete a session if you detect suspicious activity.

authn:create:signOnPolicy

Create an authentication policy, which defines how user identities are verified at sign-on.

authn:read:signOnPolicy

Read authentication policies, which define how user identities are verified at sign-on.

authn:update:signOnPolicy

Update an authentication policy to change how user identities are verified at sign-on.

authn:delete:signOnPolicy

Delete an authentication policy.

authz:create:accessTokenProvider

Create access token providers. Providers for access tokens generated outside of PingOne are used in conjunction with API services in PingOne Authorize to control access to APIs.

authz:read:accessTokenProvider

Read details for access token providers. Providers for access tokens generated outside of PingOne are used in conjunction with API services in PingOne Authorize to control access to APIs.

authz:update:accessTokenProvider

Update access token providers. Providers for access tokens generated outside of PingOne are used in conjunction with API services in PingOne Authorize to control access to APIs.

authz:delete:accessTokenProvider

Delete access token providers. Providers for access tokens generated outside of PingOne are used in conjunction with API services in PingOne Authorize to control access to APIs.

authz:create:adaptiveTrustPolicy

Create an adaptive access policy. Adaptive access policies define contextual rules for access to applications.

authz:read:adaptiveTrustPolicy

Read configuration details for adaptive access policies. Adaptive access policies define contextual rules for access to applications.

authz:update:adaptiveTrustPolicy

Update an adaptive access policy. Adaptive access policies define contextual rules for access to applications.

authz:delete:adaptiveTrustPolicy

Delete an adaptive access policy. Adaptive access policies define contextual rules for access to applications.

authz:create:adaptiveTrustPolicyAssignment

Assign an adaptive access policy to an application. Adaptive access policies define contextual rules for access to applications.

authz:read:adaptiveTrustPolicyAssignment

Read adaptive access policy assignments for an application. Policy assignments control which policies the application uses for adaptive access.

authz:delete:adaptiveTrustPolicyAssignment

Delete adaptive access policy assignments from an application. Policy assignments control which policies the application uses for adaptive access.

authz:create:apiServer

Create an API service and associated operations, which represent an HTTP API with access control handled by PingOne Authorize.

authz:read:apiServer

Read details for an API service and its associated operations, including the name, base URLs, and directory and token source.

authz:update:apiServer

Update details for an API service and its associated operations, including the name, base URLs, and basic rules.

authz:delete:apiServer

Delete an API service and its associated operations, decision endpoint, and policy tree.

authz:deploy:apiServerDeployment

Deploy API service configuration updates and policies to the API service’s decision endpoint.

authz:read:apiServerDeployment

Read an API service’s deployment status.

authz:create:authorizationAttribute

Create an authorization attribute in the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.

authz:read:authorizationAttribute

Read configuration details for authorization attributes in the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.

authz:test:authorizationAttribute

Test an authorization attribute in the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.

authz:update:authorizationAttribute

Update an authorization attribute in the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.

authz:delete:authorizationAttribute

Delete an authorization attribute from the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.

authz:create:authorizationCondition

Create an authorization condition in the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.

authz:read:authorizationCondition

Read configuration details for authorization conditions in the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.

authz:test:authorizationCondition

Test an authorization condition in the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.

authz:update:authorizationCondition

Update an authorization condition in the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.

authz:delete:authorizationCondition

Delete an authorization condition from the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.

authz:create:authorizationPolicy

Create an authorization policy. Authorization policies define the context and logic used to control access to application resources.

authz:read:authorizationPolicy

Read configuration details for authorization policies. Authorization policies define the context and logic used to control access to application resources.

authz:test:authorizationPolicy

Test an authorization policy. Authorization policies define the context and logic used to control access to application resources.

authz:update:authorizationPolicy

Update an authorization policy. Authorization policies define the context and logic used to control access to application resources.

authz:delete:authorizationPolicy

Delete an authorization policy. Authorization policies define the context and logic used to control access to application resources.

authz:create:authorizationProcessor

Create an authorization processor in the Trust Framework. Authorization processors transform data returned from authorization attributes and services.

authz:read:authorizationProcessor

Read configuration details for authorization processors in the Trust Framework. Authorization processors transform data returned from authorization attributes and services.

authz:update:authorizationProcessor

Update an authorization processor in the Trust Framework. Authorization processors transform data returned from authorization attributes and services.

authz:delete:authorizationProcessor

Delete an authorization processor from the Trust Framework. Authorization processors transform data returned from authorization attributes and services.

authz:create:authorizationRule

Create an authorization rule. Authorization rules use conditions or in-line comparisons to define authorization policy logic.

authz:read:authorizationRule

Read configuration details for authorization rules. Authorization rules use conditions or in-line comparisons to define authorization policy logic.

authz:test:authorizationRule

Test an authorization rule. Authorization rules use conditions or in-line comparisons to define authorization policy logic.

authz:update:authorizationRule

Update an authorization rule. Authorization rules use conditions or in-line comparisons to define authorization policy logic.

authz:delete:authorizationRule

Delete an authorization rule. Authorization rules use conditions or in-line comparisons to define authorization policy logic.

authz:create:authorizationService

Create an authorization service in the Trust Framework. Authorization services connect to data sources used in authorization decisions.

authz:read:authorizationService

Read configuration details for authorization services in the Trust Framework. Authorization services connect to data sources used in authorization decisions.

authz:test:authorizationService

Test an authorization service in the Trust Framework. Authorization services connect to data sources used in authorization decisions.

authz:update:authorizationService

Update an authorization service in the Trust Framework. Authorization services connect to data sources used in authorization decisions.

authz:delete:authorizationService

Delete an authorization service from the Trust Framework. Authorization services connect to data sources used in authorization decisions.

authz:create:authorizationStatement

Create an authorization statement. Authorization statements provide additional processing instructions in authorization decisions.

authz:read:authorizationStatement

Read configuration details for authorization statements. Authorization statements provide additional processing instructions in authorization decisions.

authz:update:authorizationStatement

Update an authorization statement. Authorization statements provide additional processing instructions in authorization decisions.

authz:delete:authorizationStatement

Delete an authorization statement. Authorization statements provide additional processing instructions in authorization decisions.

authz:read:authorizeDeployment

Read PingOne Authorize Gateway Deployment

authz:authorize:decisionendpoint

Make a decision request to a decision endpoint, initiating evaluation of policies deployed to the endpoint.

authz:create:decisionendpoint

Create a decision endpoint, which provides an environment for authorization policy deployment.

authz:read:decisionendpoint

Read details for a decision endpoint, including its name, description, policy version deployed, and whether recent decisions are recorded.

authz:update:decisionendpoint

Update details for a decision endpoint, including its name, description, policy version deployed, and whether recent decisions are recorded.

authz:delete:decisionendpoint

Delete a decision endpoint and any recent decisions stored for the endpoint.

authz:read:deploymentpackage

Read the deployment package of policies and Trust Framework definitions associated with a specific authorization version.

authz:create:entity

Create an authorization service, attribute, condition, processor, policy set, policy, rule, statement, or target.

authz:read:entity

Read details about an authorization service, attribute, condition, processor, policy set, policy, rule, statement, or target.

authz:test:entity

Test an authorization service, attribute, condition, policy set, policy, or library rule.

authz:update:entity

Update an authorization service, attribute, condition, processor, policy set, policy, rule, statement, or target.

authz:delete:entity

Delete an authorization service, attribute, condition, processor, policy set, policy, rule, statement, or target.

authz:read:recentdecisions

Read details about the decision flow and elements used in recent decisions for a decision endpoint.

authz:read:tag

Read an authorization version name.

authz:update:tag

Create or update an authorization version name.

authz:delete:tag

Delete an authorization version name.

authz:read:version

Read details about an authorization version, including the entity that changed, the date and time, and the user who made the change.

bootstrap:create:bootstrap

Start a bootstrap execution for provisioning.

bootstrap:read:bootstrap

Check bootstrap execution status by invoking the GET endpoint.

branding:update:branding

Create and update branding

branding:delete:branding

Delete branding

branding:read:brandingSettings

Read the company name and logo for an environment.

branding:update:brandingSettings

Update the company name and logo for an environment.

branding:create:customDomain

Create a custom domain for the environment to personalize the user-facing PingOne service URLs.

branding:read:customDomain

Read the custom domain for the environment and see the corresponding custom service URLs. If enabled, custom domains replace pingone in the address bar.

branding:update:customDomain

Update the custom domain for the environment to renew the SSL certificate.

branding:delete:customDomain

Delete a custom domain from the environment to stop using it in the user-facing PingOne service URLs.

branding:create:theme

Create a theme to customize the colors and images used on your registration pages, sign-on pages, and verification pages for an environment.

branding:read:theme

Read the themes available for an environment. Themes dictate the colors and images used on the registration pages, sign-on pages, and verification pages for an environment.

branding:update:theme

Update a theme in an environment. Themes dictate the colors and images used on the registration pages, sign-on pages, and verification pages for an environment.

branding:delete:theme

Delete a theme from an environment. Themes dictate the customization of the colors and images used on the registration pages, sign-on pages, and verification pages for an environment.

certmgt:read:key

Read the metadata for a key pair and download it as an X509 certificate. Key pairs are security credentials that PingOne uses for encryption and signing.

certmgt:create:krp

Create a new key rotation policy in the environment. PingOne uses key rotation to automatically generate new cryptographic keys at a particular interval.

certmgt:read:krp

Read a list of key rotation policies in the environment. PingOne uses key rotation to automatically generate new cryptographic keys at a particular interval.

certmgt:update:krp

Update a key rotation policy in the environment. PingOne uses key rotation to automatically generate new cryptographic keys at a particular interval.

certmgt:delete:krp

Delete a key rotation policy from the environment. PingOne uses key rotation to automatically generate new cryptographic keys at a particular interval.

console:display:environmentOverview

View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.

console:display:environmentProperties

View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.

credentialsIssuance:create:credentialSigningKey

Create a credential signing key for an environment. Credential signing keys sign a verifiable credential using a customer-provided service.

credentialsIssuance:read:credentialSigningKey

Read a credential signing key for an environment. Credential signing keys sign a verifiable credential using a customer-provided service.

credentialsIssuance:update:credentialSigningKey

Update a credential signing key for an environment. Credential signing keys sign a verifiable credential using a customer-provided service.

credentialsIssuance:delete:credentialSigningKey

Delete a credential signing key for an environment. Credential signing keys sign a verifiable credential using a customer-provided service.

credentialsIssuance:create:credentialType

Create a credential type for an environment. A credential type defines a template that is used when creating or updating a user credential.

credentialsIssuance:read:credentialType

Read a credential type for an environment. A credential type defines a template that is used when creating or updating a user credential.

credentialsIssuance:update:credentialType

Update a credential type for an environment. A credential type defines a template that is used when creating or updating a user credential.

credentialsIssuance:delete:credentialType

Delete a credential type for an environment. A credential type defines a template that is used when creating or updating a user credential.

credentialsIssuance:create:credentials

Create a credential. Credentials allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.

credentialsIssuance:read:credentials

Read a credential. Credentials allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation..

credentialsIssuance:update:credentials

Update a credential. Credentials allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.

credentialsIssuance:delete:credentials

Delete a credential. Credentials allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.

credentialsIssuance:create:digitalWallet

Create a digital wallet for a user. A digital wallet links an instance of a digital wallet application to a user.

credentialsIssuance:read:digitalWallet

Read a digital wallet for a user. A digital wallet links an instance of a digital wallet application to a user.

credentialsIssuance:update:digitalWallet

Updated a digital wallet for a user. A digital wallet links an instance of a digital wallet application to a user.

credentialsIssuance:delete:digitalWallet

Delete a digital wallet for a user. A digital wallet links an instance of a digital wallet application to a user.

credentialsIssuance:create:digitalWalletApplication

Create a digital wallet application. A digital wallet application defines the relationship between a user’s digital wallet and a customer’s PingOne application.

credentialsIssuance:read:digitalWalletApplication

Read a digital wallet application. A digital wallet application defines the relationship between a user’s digital wallet and a customer’s PingOne application.

credentialsIssuance:update:digitalWalletApplication

Update a digital wallet application. A digital wallet application defines the relationship between a user’s digital wallet and a customer’s PingOne application.

credentialsIssuance:delete:digitalWalletApplication

Delete a digital wallet application. A digital wallet application defines the relationship between a user’s digital wallet and a customer’s PingOne application.

credentialsIssuance:create:issuanceRule

Create an issuance rule for a credential type. Issuance rules are used to issue credentials to a specified group, population or SCIM filter.

credentialsIssuance:read:issuanceRule

Read an issuance rule for a credential type. Issuance rules are used to issue credentials to a specified group, population or SCIM filter.

credentialsIssuance:update:issuanceRule

Update an issuance rule for a credential type. Issuance rules are used to issue credentials to a specified group, population or SCIM filter.

credentialsIssuance:delete:issuanceRule

Delete an issuance rule for a credential type. Issuance rules are used to issue credentials to a specified group, population or SCIM filter.

credentialsIssuance:create:issuerProfile

Create the environment profile used for issuing user credentials.

credentialsIssuance:read:issuerProfile

Read the environment profile used for issuing user credentials.

credentialsIssuance:update:issuerProfile

Update the environment profile used for issuing user credentials.

credentialsIssuance:read:stagedChanges

Read staged changes for an issuance rule. Staged changes show actions for an issuance rule that are staged for execution.

credentialsIssuance:update:stagedChanges

Update staged changes for an issuance rule. Allows for refreshing and applying of staged actions for an issuance rule.

credentialsVerification:create:presentationSession

Create a Verification Session. Verification Sessions allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.

credentialsVerification:read:presentationSession

Read a Verification Session. Verification Sessions allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.

credentialsVerification:delete:presentationSession

Delete a Verification Session. Verification Sessions allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.

davinci:create:applications

Create DaVinci applications

davinci:read:applications

Read DaVinci applications

davinci:update:applications

Update DaVinci applications

davinci:delete:applications

Delete DaVinci applications

davinci:create:connections

Create a new DaVinci connector for an environment and make it available for use in all DaVinci flows.

davinci:read:connections

Read a list of all connectors added to an environment, including their configurations and containing DaVinci flows.

davinci:update:connections

Update the environment-level configuration of a connector instance. These changes also affect any use of the connector in DaVinci flows.

davinci:delete:connections

Delete a connector instance from an environment. This operation renders the connector instance non-functional in DaVinci flows.

davinci:read:connectors

Read DaVinci connectors

davinci:create:constructs

Create variables of any available scope in an environment or using the Variables connector in a DaVinci flow.

davinci:read:constructs

Read all variables and their values across the environment and within DaVinci flows.

davinci:update:constructs

Update any variables across the environment and within DaVinci flows.

davinci:delete:constructs

Delete any variables across the environment and within DaVinci flows.

davinci:create:dvFlows

Create or import DaVinci flows in one or more environments. Add new connectors during the import process.

davinci:deploy:dvFlows

Publish versions of DaVinci flows to make them available for use in DaVinci applications.

davinci:read:dvFlows

Read all DaVinci flows and their internal configurations. Also allows you to export flows.

davinci:update:dvFlows

Update the configuration and design of DaVinci flows and add, configure, or remove their subcomponents at the flow level.

davinci:delete:dvFlows

Delete existing DaVinci flows.

davinci:read:dvUsers

Read DaVinci users. DaVinci users are end users created during a DaVinci flow and stored in DaVinci.

davinci:update:dvUsers

Update users in DaVinci. DaVinci users are end users created during a DaVinci flow and stored in DaVinci.

davinci:delete:dvUsers

Delete users from DaVinci. DaVinci users are end users created during a DaVinci flow and stored in DaVinci.

davinci:read:events

Read auditing information for the admin portal. This includes all events that generate an audit log entry, including the creation or modification of a flow, flow policy, or connector.

davinci:create:flowPolicies

Create DaVinci flow policies

davinci:read:flowPolicies

Read DaVinci flow policies

davinci:update:flowPolicies

Update DaVinci flow policies

davinci:delete:flowPolicies

Delete DaVinci flow policies

davinci:export:flowVersions

Export DaVinci flow versions

davinci:read:flowVersions

Read DaVinci flow versions

davinci:revert:flowVersions

Revert DaVinci flow versions

davinci:update:flowVersions

Update DaVinci flow versions

davinci:delete:flowVersions

Delete DaVinci flow versions

davinci:read:interactionEvents

Read DaVinci flow analytics. Flow analytics display information about flow executions, including the nodes used, inputs, and outputs.

davinci:read:stats

Read administrator statistics about the admin portal. This includes the UI dashboard summary and data about the creation and use of flows, connectors, variables, and users.

davinci:create:uiTemplates

Create user interface templates in DaVinci. UI templates can be used in a DaVinci flow to match your company style and branding.

davinci:read:uiTemplates

Read user interface templates in DaVinci. UI templates can be used in DaVinci flows to match your company style and branding.

davinci:update:uiTemplates

Update user interface templates in DaVinci. UI templates can be used in DaVinci flows to match your company style and branding.

davinci:delete:uiTemplates

Delete user interface templates from DaVinci. The UI template can no longer be used in DaVinci flows.

devices:create:seenDevice

Create/Update accessing device

devices:read:seenDevice

Read accessing device

devices:update:seenDevice

Update accessing device

devices:delete:seenDevice

Delete accessing device

devices:create:userSeenDevice

Create user association with accessing device

devices:read:userSeenDevice

Read user association with accessing device

devices:update:userSeenDevice

Update user association with accessing device

devices:delete:userSeenDevice

Delete user association with accessing device

dir:create:batchGroupMembership

Create group memberships by batch for a user using the user ID and group IDs. Groups are used to organize a collection of user identities.

dir:delete:batchGroupMembership

Delete group memberships by batch for a user using the user ID and group IDs. Groups are used to organize a collection of user identities.

dir:create:group

Create a group in the environment. Groups are used to organize a collection of user identities.

dir:read:group

Read a group in the environment. Groups are used to organize a collection of user identities.

dir:update:group

Update a group, including name, description, and user filter, which defines dynamic group membership. Adding users directly requires the Group Membership permission.

dir:delete:group

Delete a group from the environment. Groups are used to organize a collection of user identities.

dir:create:groupMembership

Add a user to a group manually, rather than dynamically.

dir:read:groupMembership

Read the group membership for a user.

dir:delete:groupMembership

Delete a user or subgroup from a group.

dir:read:groupSyncedRules

get group’s provisioning rule sync status

dir:create:passwordPolicy

Create a password policy for the environment. A password policy dictates the strength and complexity requirements for a password or passphrase.

dir:read:passwordPolicy

Read a list of password policies for the environment. A password policy dictates the strength and complexity requirements for a password or passphrase.

dir:update:passwordPolicy

Update a password policy for the environment. A password policy dictates the strength and complexity requirements for a password or passphrase.

dir:delete:passwordPolicy

Delete a password policy from the environment. A password policy dictates the strength and complexity requirements for a password or passphrase.

dir:create:population

Create a population in the environment. A population defines a set of users, and a user can belong to one population only.

dir:read:population

Read a list of populations in the environment. A population defines a set of users, and a user can belong to one population only.

dir:update:population

Update a population, including name and description, password policy, and population members. A population defines a set of users, and a user can belong to one population only.

dir:delete:population

Delete a population from the environment. A population defines a set of users, and a user can belong to one population only.

dir:read:schema

Read the schema for the environment, including its attributes. A schema defines the user attributes in the environment.

dir:update:schema

Update a schema, including creating, updating, and deleting attributes. A schema defines the user attributes in the environment.

dir:delete:schema

Delete a schema from the environment. A schema defines the user attributes in the environment.

dir:create:user

Create a user in the environment.

dir:import:user

Import users into the PingOne Directory. Imported users can include a password value.

dir:invite:user

Invite users

dir:read:user

Read a list of users in the environment.

dir:update:user

Update a user account, including name, email address, and other attributes.

dir:verify:user

Verify a user using a verification code. Send verification codes. Verify a user’s email address and send a verification email.

dir:delete:user

Delete a user from the environment.

dir:lock:userAccount

(Probably best not to document publicly)

dir:unlock:userAccount

Unlock a user account. Locked accounts cannot sign on to PingOne.

dir:update:userEnabled

Enable or disable a user. Disabled users cannot sign on to PingOne.

dir:update:userIdentityProvider

Define the authoritative identity provider for a user. An authoritative identity provider has authority over user records and credentials.

dir:create:userLinkedAccounts

Create a linked account for a user. A linked account is tied to a third-party identity provider for authentication.

dir:read:userLinkedAccounts

Read accounts linked to a user. A linked account is tied to a third-party identity provider for authentication.

dir:delete:userLinkedAccounts

Delete a linked account for a user. A linked account is tied to a third-party identity provider for authentication.

dir:update:userMfaBypass

Specify an MFA bypass period for a user. The user will not be prompted to carry out MFA until after this period expires.

dir:update:userMfaEnabled

Update the mfaEnabled status for a user. Specify whether MFA should be enabled for a user.

dir:read:userPassword

Read a user’s password state. The password state values can include OK, PASSWORD_LOCKED_OUT, and PASSWORD_EXPIRED.

dir:validate:userPassword

Validate a user’s password.

dir:read:userSyncedStores

get user’s target store sync status

dir:update:userVerifyStatus

Update a user’s verification status.

earlyAccess:read:features

Read the early access features applicable to an environment.

earlyAccess:update:features

Opt-in or opt-out of early access features available for an environment.

enduseruiconfig:read:configs

View the Self Service and Application Portal pages.

externalServices:create:externalService

Create an external service

externalServices:invoke:externalService

Invoke an external service request

externalServices:read:externalService

Read a external service(s)

externalServices:update:externalService

Update an external service

externalServices:delete:externalService

Delete an external service

externalServices:read:secrets

Read external service secrets

externalServices:update:secrets

Update external service secrets

flowPolicies:read:flowPolicy

Read all DaVinci policies that are configured for use with PingOne applications.

formBuilder:create:form

Create a DaVinci form.

formBuilder:read:form

Get a list of available DaVinci forms.

formBuilder:update:form

Update an existing DaVinci form.

formBuilder:delete:form

Delete a DaVinci form.

formBuilder:read:recaptchaV2Config

Read the values for the Site Key and Secret Key fields of all Google reCAPTCHA verifications embedded in any DaVinci forms in a PingOne environment.

formBuilder:update:recaptchaV2Config

Update the values for the Site Key and Secret Key fields of all Google reCAPTCHA verifications embedded in any DaVinci forms in a PingOne environment.

formBuilder:delete:recaptchaV2Config

Delete the values for the Site Key and Secret Key fields of all Google reCAPTCHA verifications embedded in any DaVinci forms in a PingOne environment.

gateways:create:gateway

Create a gateway to connect your on-premise infrastructure to PingOne and authenticate user identities and data stored in an internal or external directory.

gateways:read:gateway

Read the configuration details of all PingOne gateways. Gateways connect your on-premise infrastructure to PingOne.

gateways:update:gateway

Update the settings for a PingOne gateway.

gateways:delete:gateway

Delete a gateway to remove the connection between your on-premise infrastructure and PingOne.

globalregistry:read:console

Access to PingOne administrator console.

identityProviders:create:identityProvider

Create an identity provider (IdP) resource. External IdP connections allow users to authenticate with PingOne using credentials provided by the IdP when configured as part of an authentication policy.

identityProviders:read:identityProvider

Read identity provider (IdP) resources. External IdP connections allow users to authenticate to PingOne using credentials provided by the external IdP.

identityProviders:update:identityProvider

Update an identity provider (IdP) resource to change how users authenticate to PingOne using the credentials provided by the IdP.

identityProviders:delete:identityProvider

Delete an identity provider (IdP) resource. Users will no longer be able to use the external IdP connection to authenticate using credentials provided by the IdP.

identitycloud:create:orchestration

Create an Advanced Identity Cloud orchestration in a specific environment

identitycloud:update:orchestration

Update an Advanced Identity Cloud orchestration in a specific environment

identitycloud:admin:superadmin

Grants the Super Admin role in Advanced Identity Cloud which has full access to all administrative features and can manage every aspect of this tenant, including adding other administrators.

identitycloud:admin:tenantadmin

Grants the Tenant Admin role in Advanced Identity Cloud which has full access to all administrative features, except the ability to add other administrators.

idverifications:create:dataBasedIdentityVerification

Create data-based identity verification. Data-based identity verification runs matching and fraud analysis against user data and returns all personally identifiable information (PII) and a data match confidence score.

idverifications:create:document

Submit a user-submitted document. User-submitted documents are government issued identity documents, such as a driver license or passport, used for identity verification.

idverifications:get:document

Read user-submitted documents. User-submitted documents are government issued identity documents, such as a driver license or passport, used for identity verification.

idverifications:update:document

Update a user-submitted document. User-submitted documents are government issued identity documents, such as a driver license or passport, used for identity verification.

idverifications:delete:document

Delete a user-submitted document. User-submitted documents are government issued identity documents, such as a driver license or passport, used for identity verification.

idverifications:create:identityRecordMatching

Create Identity Record Matching. Identity Record Matching compares two sets of identity data and returns a score of confidence that the data match.

idverifications:get:referenceData

Read data submitted by a user during a voice verification.

idverifications:delete:referenceData

Delete data submitted by a user during a voice verification.

idverifications:get:verifiedUserData

Read verified user data from a verification transaction.

idverifications:update:verifiedUserData

Update verified user data from a verification transaction.

idverifications:delete:verifiedUserData

Delete verified user data from a verification transaction.

idverifications:create:verifyPolicy

Create a PingOne Verify policy.

idverifications:read:verifyPolicy

Read a PingOne Verify policy.

idverifications:update:verifyPolicy

Update a PingOne Verify policy.

idverifications:delete:verifyPolicy

Delete a PingOne Verify policy.

idverifications:create:verifyTransactions

Create a user verification transaction.

idverifications:read:verifyTransactions

Read a user verification transaction.

idverifications:update:verifyTransactions

Update a user verification transaction.

idverifications:delete:verifyTransactions

Delete a user verification transaction.

idverifications:create:voicePhrase

Create the template that defines the phrase the user speaks during voice verification.

idverifications:read:voicePhrase

Read the template that defines the phrase the user speaks during voice verification.

idverifications:update:voicePhrase

Update the template that defines the phrase the user speaks during voice verification.

idverifications:delete:voicePhrase

Delete the template that defines the phrase the user speaks during voice verification.

idverifications:create:voicePhraseContent

Create the phrase that the user speaks aloud for voice verification.

idverifications:read:voicePhraseContent

Read the phrase that the user speaks aloud for voice verification.

idverifications:update:voicePhraseContent

Update the phrase that the user speaks aloud for voice verification.

idverifications:delete:voicePhraseContent

Delete the phrase that the user speaks aloud for voice verification.

image:create:image

Upload an image to PingOne for an environment. The image can be used by other services within the environment, such as user profile.

image:read:image

View any image that has been uploaded to PingOne for an environment.

image:delete:image

Delete any image that has been uploaded to PingOne for an environment.

integrations:read:integration

Read a list of product integration kits, versions, and items in the application catalog.

langmgt:create:language

Add a language to configure for an environment.

langmgt:read:language

Read a list of languages that are currently configured for an environment.

langmgt:update:language

Enable or disable a language for an environment or set a language as the default.

langmgt:delete:language

Delete a language from an environment.

ldapGateway:execute:directLdap

Allow specific clients, such as PingFederate and the PingOne DaVinci connector, to route LDAP operations through PingOne to your on-premise LDAP directories.

ldapGateway:validate:kerberos

Use Kerberos authentication through an LDAP gateway. Available only if you use Microsoft Active Directory as your LDAP directory.

ldapGateway:read:user

Read LDAP users using the LDAP gateway.

ldapGateway:validate:userPassword

Check a user’s password through a PingOne LDAP gateway. LDAP gateways connect PingOne with customer-managed LDAP directories.

licensing:update:environmentLicense

Update environment licenses

licensing:update:mutableProperties

Edit the attributes for a license, including the license name or environment assignment.

mfa:create:createTestDevice

Create an MFA device for testing.

mfa:authenticate:device

Initiate device authentication.

mfa:read:device

Read MFA devices.

mfa:create:deviceAuthenticationPolicy

Create an MFA policy. MFA policies are used to define and configure the authentication methods used in your authentication policy.

mfa:read:deviceAuthenticationPolicy

Read an MFA policy. MFA policies are used to define and configure the authentication methods used in your authentication policy.

mfa:update:deviceAuthenticationPolicy

Modify an existing MFA policyUpdate an MFA policy. MFA policies are used to define and configure the authentication methods used in your authentication policy.

mfa:delete:deviceAuthenticationPolicy

Delete an MFA policy. MFA policies are used to define and configure the authentication methods used in your authentication policy.

mfa:create:fidoDeviceMetadata

Create custom FIDO device metadata.

mfa:read:fidoDeviceMetadata

Read FIDO device metadata.

mfa:delete:fidoDeviceMetadata

Delete custom FIDO device metadata.

mfa:create:fidoPolicy

Create a FIDO policy. FIDO policies define which FIDO devices and authenticators can be used for registration and authentication.

mfa:read:fidoPolicy

Read a FIDO policy. FIDO policies define which FIDO devices and authenticators can be used for registration and authentication.

mfa:update:fidoPolicy

Update a FIDO policy. FIDO policies define which FIDO devices and authenticators can be used for registration and authentication.

mfa:delete:fidoPolicy

Delete a FIDO policy. FIDO policies define which FIDO devices and authenticators can be used for registration and authentication.

mfa:read:mfaSettings

Read MFA settings.

mfa:update:mfaSettings

Update MFA settings.

mfa:delete:mfaSettings

Reset MFA settings.

mfa:read:oathJob

Retrieve an OATH Job

mfa:create:oathToken

Add an OATH token to the environment. After you add the OATH token, you can specify it as an authentication method for a specific user. Relevant only for environments that include PingID.

mfa:read:oathToken

Read an OATH token that has been added to the environment. Relevant only for environments that include PingID.

mfa:update:oathToken

Resync an OATH token that has been added to the environment. Relevant only for environments that include PingID.

mfa:delete:oathToken

Delete an OATH token from the environment. Relevant only for environments that include PingID.

mfa:create:pairingKey

Create a pairing key for an MFA device.

mfa:read:pairingKey

Read pairing keys for MFA devices.

mfa:delete:pairingKey

Delete the pairing key for an MFA device.

notifications:create:emailDomain

Create an email domain. Email domains are used for sending out email notifications to your users.

notifications:read:emailDomain

Read the email domains. Email domains are used for sending out email notifications to your users.

notifications:update:emailDomain

Update an email domain. Email domains are used for sending out email notifications to your users.

notifications:delete:emailDomain

Delete an email domain. Email domains are used for sending out email notifications to your users.

notifications:create:notification

Send an event notification to a user.

notifications:create:notificationsPolicy

Create a notification policy. Notification policies are used to limit the number of SMS/voice or email notifications that can be sent per day.

notifications:read:notificationsPolicy

Read notification policies. Notification policies are used to limit the number of SMS/voice or email notifications that can be sent per day.

notifications:update:notificationsPolicy

Update a notification policy. Notification policies are used to limit the number of SMS/voice or email notifications that can be sent per day.

notifications:delete:notificationsPolicy

Delete a notification policyDelete a notification policy. Notification policies are used to limit the number of SMS/voice or email notifications that can be sent per day.

notifications:read:notificationsSettings

Read fallback order for SMS/Voice providers and 'from' and 'reply to' fields for email notifications.

notifications:update:notificationsSettings

Update fallback order for SMS/Voice providers and reset 'from' and 'reply to' fields for email notifications.

notifications:delete:notificationsSettings

Reset fallback order for SMS/Voice providers and reset 'from' and 'reply to' fields for email notifications.

notifications:read:quota

Read the daily notification quota set in notification policy.

notifications:read:template

Read a notification template. Notification templates are used to inform users about certain events in PingOne.

notifications:create:templateContent

Create content for a notification template. Notification templates are used to inform users about some event types in PingOne.

notifications:read:templateContent

Read the content of a notification template. Notification templates are used to inform users about some event types in PingOne.

notifications:update:templateContent

Update content for a notification template. Notification templates are used to inform users about some event types in PingOne.

notifications:delete:templateContent

Delete the content of a notification template. Notification templates are used to inform users about some event types in PingOne.

notifications:reset:userQuota

Reset notifications quota

orgmgt:create:deployment

Create deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.

orgmgt:promote:environment

Promote an environment from sandbox to production. A sandbox environment is used to test functionality before deploying to production.

orgmgt:update:environment

Update environment properties to add or remove services, change the environment name or description, or update license information. Environments are the primary subdivision of an organization.

osmosis:check:connection

Test the provisioning connection to an external identity provider before saving the configuration.

osmosis:read:mapping

Read the attribute mapping for a provisioning rule. Attribute mapping defines how attributes from an external identity store correspond to attributes in PingOne.

osmosis:update:mapping

Update the attribute mapping for a provisioning rule. Attribute mapping defines how attributes from an external identity store correspond to attributes in PingOne.

osmosis:delete:mapping

Delete an attribute mapping for a provisioning rule. Attribute mapping defines how attributes from an external identity store correspond to attributes in PingOne.

osmosis:read:plan

Read a provisioning plan. A provisioning plan is a list of all the provisioning rules in an environment.

osmosis:update:plan

Update a provisioning plan. A provisioning plan is a list of all the provisioning rules in an environment.

osmosis:delete:plan

Delete a provisioning plan. A provisioning plan is a list of all the provisioning rules in an environment.

osmosis:create:revision

Create a provisioning configuration. A provisioning configuration includes the provisioning connection and provisioning rule.

osmosis:get:revision

Read a provisioning configuration. A provisioning configuration includes the provisioning connection and provisioning rule.

osmosis:read:rule

Read a provisioning rule. A provisioning rule defines which users are provisioned and how attributes are mapped between PingOne and the external identity store.

osmosis:update:rule

Update a provisioning rule. A provisioning rule defines which users are provisioned and how attributes are mapped between PingOne and the external identity store.

osmosis:delete:rule

Delete a provisioning rule. A provisioning rule defines which users are provisioned and how attributes are mapped between PingOne and the external identity store.

osmosis:read:store

Read a provisioning connection. A provisioning connection includes authorization information for the connection type and configuration options, such as provisioning and deprovisioning actions.

osmosis:update:store

Update a provisioning connection. A provisioning connection includes authorization information for the connection type and configuration options, such as provisioning and deprovisioning actions.

osmosis:delete:store

Delete a provisioning connection. A provisioning connection includes authorization information for the connection type and configuration options, such as provisioning and deprovisioning actions.

p14e:admin:application

Used only for SSO to PingOne for Enterprise. Enables Application Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.

p14e:admin:auditReport

Used only for SSO to PingOne for Enterprise. Enables Audit & Report Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.

p14e:admin:device

Used only for SSO to PingOne for Enterprise. Enables PingID Device Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.

p14e:admin:global

Used only for SSO to PingOne for Enterprise. Enables Global Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.

p14e:admin:identityRepository

Used only for SSO to PingOne for Enterprise. Enables Identity Repository Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.

p14e:admin:saas

Used only for SSO to PingOne for Enterprise. Enables SaaS Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.

p14e:admin:serviceUser

Used only for SSO to PingOne for Enterprise. Enables Service User Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.

p14e:admin:support

Used only for SSO to PingOne for Enterprise. Enables Global Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.

p14e:admin:update

Use with a PingOne for Enterprise role permission. Enables write access for the PingOne admin in PingOne for Enterprise.

permissions:read:applicationRoleAssignments

Read admin roles that are assigned to an application scope, including the role permissions. Roles are used by worker applications only.

permissions:read:gatewayRoleAssignments

Read the list of roles and the associated permissions associated with a gateway scope. The gateway scope defines the attributes that can be accessed in the external LDAP directory.

permissions:read:groupRoleAssignments

Read the admin roles that are assigned to a group.

permissions:read:userRoleAssignments

Read admin roles that are assigned to a user, including the role permissions.

pingenterprise:create:orchestration

Creates a Orchestration flow for Ping Enterprise deployment

pingenterprise:read:orchestration

Retrieve Orchestration flow for Ping Enterprise deployment

pingenterprise:update:orchestration

Updates Orchestration flow for Ping Enterprise deployment

pingenterprise:delete:orchestration

Deletes Orchestration flow for Ping Enterprise deployment

pingfederate:admin:auditor

Used only for SSO to PingFederate. Enables the PingFederate Auditor role for the PingOne admin in PingFederate.

pingfederate:admin:crypto

Used only for SSO to PingFederate. Enables the PingFederate Crypto Administrator role for the PingOne admin in PingFederate.

pingfederate:admin:expressions

Used only for SSO to PingFederate. Enables the PingFederate Expressions Administrator role for the PingOne admin in PingFederate.

pingfederate:admin:system

Used only for SSO to PingFederate. Enables the PingFederate Administrator role for the PingOne admin in PingFederate.

pingfederate:admin:users

Used only for SSO to PingFederate. Enables the PingFederate Users Administrator role for the PingOne admin in PingFederate.

pingid:read:activity

Read PingID user last activity

pingid:read:integration

Read PingID user integrations(services)

pingid:update:integration

Update PingID user integration(service)

pingid:execute:migration

Start an integration of PingID with PingOne.

pingid:read:migration

Check the status of the integration of PingID with PingOne.

pingid:validate:migration

Validate resources such as PingID authentication policies before integrating PingID with PingOne.

pingintelligence:create:orchestration

Creates a Orchestration flow for Ping Intelligence deployment

pingintelligence:read:orchestration

Retrieve Orchestration flow for Ping Intelligence deployment

pingintelligence:update:orchestration

Updates Orchestration flow for Ping Intelligence deployment

pingintelligence:delete:orchestration

Deletes Orchestration flow for Ping Intelligence deployment

prediction:create:prediction

Create a prediction

provisioning:get:connectionSensitiveConfiguration

Read the authentication details, which can include sensitive information, for a provisioning configuration. A provisioning configuration includes the provisioning connection and provisioning rule.

provisioning:create:provisioningSyncOrchestration

Create a provisioning sync orchestration for an environment. Sync orchestration is required by the PingOne gateway to provision users inbound into PingOne.

provisioning:update:provisioningSyncOrchestration

Update a provisioning sync orchestration to allow a gateway to provision users to a PingOne environment. Sync orchestration is required by the PingOne gateway to provision users inbound into PingOne.

radiusGateway:read:session

Read radius session details for audit purposes

resources:create:attribute

Create an attribute for a custom resource. Custom resource attributes are mapped as claims in access tokens to convey additional information about their use to applications.

resources:read:attribute

Read a list of custom attributes for a resource. Custom resource attributes are mapped as claims in access tokens to convey additional information about their use to applications.

resources:update:attribute

Update an attribute for a custom resource. Custom resource attributes are mapped as claims in access tokens to convey additional information about their use to applications.

resources:delete:attribute

Delete a custom attribute from a resource. Custom resource attributes are mapped as claims in access tokens to convey additional information about their use to applications.

resources:create:resource

Create a resource. Resources are protected endpoints that applications can access using OAuth 2 authorization services.

resources:read:resource

Read the resources in the environment. Resources are protected endpoints that applications can access using OAuth 2 authorization services.

resources:update:resource

Update the configuration of a resource. Resources are the protected endpoints that applications can access using OAuth 2 authorization services.

resources:delete:resource

Delete a resource. Resources are protected endpoints that applications can access using OAuth 2 authorization services.

resources:create:scope

Create a scope for a resource. Resource scopes can be associated with applications and define application access to user details, such as name and email address.

resources:read:scope

Read the scope for a resource. Resource scopes can be associated with applications and define application access to user details, such as name and email address.

resources:update:scope

Update the scope for a resource. Resource scopes can be associated with applications and define application access to user details, such as name and email address.

resources:delete:scope

Delete a scope from a resource. Resource scopes can be associated with applications and define application access to user details, such as name and email address.

risk:create:evaluation

Create a risk evaluation, which is used to calculate the risk level and other risk-related details associated with an event.

risk:read:evaluation

Read risk evaluation details. Risk evaluations are used to calculate the risk level and other risk-related details associated with an event.

risk:update:evaluation

Update a risk evaluation with the completion status to allow the learning mechanism to improve risk evaluation precision.

risk:create:feedback

Create risk feedback

risk:create:policy

Create a risk policy for use in risk evaluations.

risk:read:policy

Read risk policies, which are used in risk evaluations.

risk:update:policy

Modify an existing risk policy. Risk policies are used in risk evaluations.

risk:delete:policy

Delete a risk policy. Risk policies are used in risk evaluations.

risk:create:predictor

Create a risk predictor for use in risk policies.

risk:read:predictor

Read risk predictors, which are used in risk policies.

risk:update:predictor

Modify an existing risk predictor for use in risk policies.

risk:delete:predictor

Delete a risk predictor. Risk predictors are used in risk policies.

riskDetection:create:evaluation

Create detection evaluations for risk service

scim:read:schema

Read the schema for the environment, including its attributes, using the SCIM API. A schema defines the user attributes in the environment.

scim:create:user

Create a user in the environment using the SCIM API.

scim:read:user

Read a list of users in the environment using the SCIM API.

scim:update:user

Update a user account, including name, email address, and other attributes, using the SCIM API.

scim:delete:user

Delete a user from the environment using the SCIM API.

solutions:create:config

Create new or reset an existing configuration for the customer or workforce Getting Started experience to assign default flows for registration, authentication, profile management, and account recovery.

solutions:read:config

Read the configuration data for the CIAM or workforce Getting Started experiences, such as the flows used for registration, authentication, profile management, and account recovery.

solutions:update:config

Update the configuration of the customer or workforce Getting Started experience to use different flows for registration, authentication, profile management, or account recovery.

solutions:read:flow

Read the list of flows available as part of the getting started experience in the admin console.

solutions:read:token

Retrieve a DaVinci access token.

subscriptions:create:subscription

Create a webhook to send event information to an external monitoring system.

subscriptions:read:subscription

Read webhook information. Webhooks are used to subscribe to events of interest in PingOne and push the event information to an external monitoring system.

subscriptions:update:subscription

Update the properties or filters for a webhook to change the information that is sent to your external monitoring system.

subscriptions:delete:subscription

Delete a webhook to stop sending event information to your external monitoring system.

visualization:read:authentication

View the Authentication dashboard. The Authentication dashboard shows a summary of sign-on activity through PingOne and additional authentication metrics for the environment.

visualization:read:dashboard

Refer to dashboards

visualization:create:exploration

Create a data exploration object for use with dashboards and report generation.

visualization:read:exploration

Read the data for a data exploration object. Data exploration objects are used with dashboards and report generation.

visualization:read:template

Read data exploration template

visualization:read:userDemographics

Read the User Demographics dashboard and user demographic data. User demographic data provides information on the distribution of users by population and operating system and browser usage by service.