PingOne Platform APIs

Roles Management

The ability to perform an action in PingOne is determined by Role-Based Access Control (RBAC). For example, when you initiate a request to a PingOne endpoint, you must have the role required by the endpoint to execute the request. You’ll notice that our endpoint documentation uses icons to indicate the role or roles needed to access the endpoint (refer to Read All Built-in Admin Roles for an example).

You can assign a PingOne role to:

  • Users, PingOne admins, or (for custom roles) groups.

  • PingOne Worker Apps.

  • PingOne Gateways for PingFederate. Only gateways having a type property of PING_FEDERATE can be assigned a role. Refer to Gateway Role Assignments for more information.

Users who aren’t an admin or Client Application Developer cannot be assigned a role, so have no access to the APIs, nor permissions to execute actions on behalf of another user.

When assigning admin roles, you cannot assign roles that you do not have yourself, with the following exceptions:

  • You can assign the read-only variants of built-in roles that are assigned to you.

  • You can assign custom roles that have been configured to allow assignment by a role that’s assigned to you.

As a best practice, assign the minimum role or roles needed for the admin to perform their tasks. Refer to Assigning a user role for more information.

If you assign a built-in or custom role in the Administrators environment, the role assignment can be applied to the Administrators environment, or any other environment, including the entire Organization (if your license enables this capability).

PingOne supports the following types of roles:

  • Built-in Admin Roles

    These roles are predefined in the platform. The permissions associated with PingOne roles are managed by the platform. Common PingOne roles are Organization Admin, Environment Admin, Identity Data Admin, and Client Application Developer.

  • Custom Admin Roles

    These roles are environment-level resources that consist of a set of permissions that can be edited by administrators. A custom role can be assigned to a user or admin group for a specific scope.

  • PingOne Authorize Application Roles

    These roles are part of the PingOne Authorize capability. You must have the PingOne Authorize product capability activated in your license to access these endpoints. Application roles define custom roles and permissions within PingOne to protect external application resources.