PingOne Platform APIs

Built-in Admin Roles

These roles and the associated permissions are predefined (built-in) for PingOne:

Role Icon Abbr. Can Assign

Organization Admin

Organization Admin role

ORG

Environment Admin

Environment Admin

Environment Admin role

ENV

All roles except Organization Admin

Identity Data Admin

Identity Data Admin role

IDA

Identity Data Admin, Identity Data Read-Only Admin, Help Desk Admin

DaVinci Admin

DaVinci Admin role

DVA

DaVinci Admin, DaVinci Read-Only Admin

Custom Role Admin

Custom Role Admin role

ROLE

None

Application Owner

Application Owner role

APP-O

None

Identity Data Read-Only Admin

Identity Data Read Only role

IDA-R

None

Configuration Read-Only Admin

Configuration Read Only role

CFA-R

None

DaVinci Read-Only Admin

DaVinci Admin Read Only role

DVA-R

None

Client Application Developer

Client Application Developer role

APP

None

Help Desk Admin

Help Desk Admin role

HDA

None

Advanced Identity Cloud

These roles and the associated permissions are predefined (built-in) for PingOne support of Advanced Identity Cloud:

The PingOne environment must include support for SSO to PingOne Advanced Identity Cloud.
Role Abbr. Can Assign

Advanced Identity Cloud Super Admin

AIC-SUPER

Advanced Identity Cloud Super Admin, Advanced Identity Cloud Tenant Admin

Advanced Identity Cloud Tenant Admin

AIC-TENANT

None

Currently, you’re not able to assign the DaVinci Admin and DaVinci Read-Only Admin roles to a Worker app.

Roles and Permissions

Refer to PingOne Role Permissions for the PingOne roles and their permissions.

Refer to PingFederate SSO admin permissions for the applicable PingFederate roles.

Automatic role assignments

Role assignments determine access to PingOne APIs. When an application or user creates a new PingOne resource over which roles can be assigned, they are assigned all possible roles that can be assigned for the environment or population. For example, if an actor creates a new environment, the actor receives the Environment Admin, Identity Data Admin, and the Client Application Developer roles over that new environment. If the actor already has an existing organization-level Environment Admin role, the Environment Admin role would not be assigned again to the actor. Likewise, if the actor creates a new population, the actor receives the Identity Data Admin role automatically (unless the actor already has that assigned role).

Users and applications cannot create actors that have more privileges than the user or application itself. For example, to create a user or an application that has Environment Admin privileges, the actor assigning roles must also have Environment Admin privileges. The actor (user or application) assigning roles must have the permissions that they are trying to assign. The requesting user or application must have the same (or broader) role assignments as the target actor’s role assignments.

When creating PingOne resources, the following roles are assigned to the actor automatically when these PingOne entities are created:

  • Environments

    Environment Admin: Assigned for the created environment at the environment level, if the actor does not already have the Environment Admin role at the parent organization level.

    Identity Data Admin: Assigned for the created environment at the environment level.

    Client Application Developer: Assigned for the created environment at the environment level.

  • Populations

    Identity Data Admin: Assigned for the created population at the population level, if the actor does not already have the Identity Data Admin role at the parent environment level.

Roles data model

Property Type Required? Mutable? Description

actor.id

String

Required

Immutable

The ID of the actor.

actor.environmentId

String

Required

Immutable

The ID of the environment in which the actor exists.

actor.type

String

Required

Immutable

The type of the actor. Options are users and clients.

description

String

Optional

Immutable

The description of the resource.

environment.id

String

N/A

Read-only

The environment resource’s unique identifier associated with the resource.

id

String

N/A

Read-only

The resource’s unique identifier.

name

String

Required

Immutable

The resource name.

role.applicableTo

String

Required

Immutable

The scope types to which the role can be applied. Options are ORGANIZATION, ENVIRONMENT, and POPULATION.

role.description

String

Optional

Mutable

The description of the role.

role.id

String

N/A

Read-only

The ID of the role.

role.permissions

String

Required

Immutable

The set of permissions assigned to the role.

role.permissions.classifier

String

Required

Immutable

The resource for which the permission is applicable.

role.permissions.description

String

Optional

Mutable

The description of what the permission enables for the role.

role.permissions.id

String

Optional

Mutable

The ID of a permission associated with this role.

role.scope.id

String

Required

Mutable

A string that specifies the ID of the role assignment scope.

role.scope.type

String

Required

Immutable

The type of resource defining the scope of the role assignment. Options are PLATFORM, ORGANIZATION, ENVIRONMENT, POPULATION, and ACTOR.

type

String

Required

Immutable

The type of resource. Options are PLATFORM and CUSTOM.

Roles events generated

Refer to Audit Reporting Events for the events generated.

Response codes

Code Message

200

Successful operation.

201

Successfully created.

204

Successfully removed. No content.

400

The request could not be completed.

401

You do not have access to this resource.

403

You do not have permissions or are not licensed to make this request.

404

The requested resource was not found.
Related topics