Read All Built-in Admin Roles
GET {{apiPath}}/rolesUse GET {{apiPath}}/roles to return a list of all the PingOne built-in roles, and the permissions associated with each role. This endpoint does not return any custom roles. Refer to Read All Custom Admin Roles for this information.
Example Request
-
cURL
-
C#
-
Go
-
HTTP
-
Java
-
jQuery
-
NodeJS
-
Python
-
PHP
-
Ruby
-
Swift
curl --location --globoff '{{apiPath}}/roles' \
--header 'Authorization: Bearer {{accessToken}}'var options = new RestClientOptions("{{apiPath}}/roles")
{
MaxTimeout = -1,
};
var client = new RestClient(options);
var request = new RestRequest("", Method.Get);
request.AddHeader("Authorization", "Bearer {{accessToken}}");
RestResponse response = await client.ExecuteAsync(request);
Console.WriteLine(response.Content);package main
import (
"fmt"
"net/http"
"io"
)
func main() {
url := "{{apiPath}}/roles"
method := "GET"
client := &http.Client {
}
req, err := http.NewRequest(method, url, nil)
if err != nil {
fmt.Println(err)
return
}
req.Header.Add("Authorization", "Bearer {{accessToken}}")
res, err := client.Do(req)
if err != nil {
fmt.Println(err)
return
}
defer res.Body.Close()
body, err := io.ReadAll(res.Body)
if err != nil {
fmt.Println(err)
return
}
fmt.Println(string(body))
}GET /roles HTTP/1.1
Host: {{apiPath}}
Authorization: Bearer {{accessToken}}OkHttpClient client = new OkHttpClient().newBuilder()
.build();
MediaType mediaType = MediaType.parse("text/plain");
RequestBody body = RequestBody.create(mediaType, "");
Request request = new Request.Builder()
.url("{{apiPath}}/roles")
.method("GET", body)
.addHeader("Authorization", "Bearer {{accessToken}}")
.build();
Response response = client.newCall(request).execute();var settings = {
"url": "{{apiPath}}/roles",
"method": "GET",
"timeout": 0,
"headers": {
"Authorization": "Bearer {{accessToken}}"
},
};
$.ajax(settings).done(function (response) {
console.log(response);
});var request = require('request');
var options = {
'method': 'GET',
'url': '{{apiPath}}/roles',
'headers': {
'Authorization': 'Bearer {{accessToken}}'
}
};
request(options, function (error, response) {
if (error) throw new Error(error);
console.log(response.body);
});import requests
url = "{{apiPath}}/roles"
payload = {}
headers = {
'Authorization': 'Bearer {{accessToken}}'
}
response = requests.request("GET", url, headers=headers, data=payload)
print(response.text)<?php
require_once 'HTTP/Request2.php';
$request = new HTTP_Request2();
$request->setUrl('{{apiPath}}/roles');
$request->setMethod(HTTP_Request2::METHOD_GET);
$request->setConfig(array(
'follow_redirects' => TRUE
));
$request->setHeader(array(
'Authorization' => 'Bearer {{accessToken}}'
));
try {
$response = $request->send();
if ($response->getStatus() == 200) {
echo $response->getBody();
}
else {
echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' .
$response->getReasonPhrase();
}
}
catch(HTTP_Request2_Exception $e) {
echo 'Error: ' . $e->getMessage();
}require "uri"
require "net/http"
url = URI("{{apiPath}}/roles")
http = Net::HTTP.new(url.host, url.port);
request = Net::HTTP::Get.new(url)
request["Authorization"] = "Bearer {{accessToken}}"
response = http.request(request)
puts response.read_bodyvar request = URLRequest(url: URL(string: "{{apiPath}}/roles")!,timeoutInterval: Double.infinity)
request.addValue("Bearer {{accessToken}}", forHTTPHeaderField: "Authorization")
request.httpMethod = "GET"
let task = URLSession.shared.dataTask(with: request) { data, response, error in
guard let data = data else {
print(String(describing: error))
return
}
print(String(data: data, encoding: .utf8)!)
}
task.resume()Example Response
200 OK
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles"
}
},
"_embedded": {
"roles": [
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/c84dee43-9c8c-4ed2-b31b-8f20c2ab1df6"
}
},
"id": "c84dee43-9c8c-4ed2-b31b-8f20c2ab1df6",
"name": "Advanced Identity Cloud Super Admin",
"description": "Grants the Super Admin role in Advanced Identity Cloud which has full access to all administrative features and can manage every aspect of this tenant, including adding other administrators.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "identitycloud:admin:superadmin",
"classifier": "superadmin",
"description": "Grants the Super Admin role in Advanced Identity Cloud which has full access to all administrative features and can manage every aspect of this tenant, including adding other administrators.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "identitycloud:admin:tenantadmin",
"classifier": "tenantadmin",
"description": "Grants the Tenant Admin role in Advanced Identity Cloud which has full access to all administrative features, except the ability to add other administrators.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
],
"canAssign": [
{
"id": "b34e1581-b055-4a76-9bfd-b52a0f57f738"
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/b34e1581-b055-4a76-9bfd-b52a0f57f738"
}
},
"id": "b34e1581-b055-4a76-9bfd-b52a0f57f738",
"name": "Advanced Identity Cloud Tenant Admin",
"description": "Grants the Tenant Admin role in Advanced Identity Cloud which has full access to all administrative features, except the ability to add other administrators.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "identitycloud:admin:tenantadmin",
"classifier": "tenantadmin",
"description": "Grants the Tenant Admin role in Advanced Identity Cloud which has full access to all administrative features, except the ability to add other administrators.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/da1f99b8-148c-11ee-be56-0242ac120002"
}
},
"id": "da1f99b8-148c-11ee-be56-0242ac120002",
"name": "Application Owner",
"description": "A role for managing specific applications to which they are assigned. Key permissions include assigning application access using groups, editing attributes, and configuring connection details for the application. This role has no other administrator permissions.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
],
"permissions": [
{
"id": "applications:create:flowPolicyAssignment",
"classifier": "flowPolicyAssignment",
"description": "Assign DaVinci policies to PingOne applications. When assigned, a DaVinci policy controls which DaVinci flow a PingOne application uses for authentication.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:create:signOnPolicyAssignment",
"classifier": "signOnPolicyAssignment",
"description": "Assign an authentication policy that defines the sign-on requirements used to access an application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:delete:application",
"classifier": "application",
"description": "Delete an application from the environment.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:delete:flowPolicyAssignment",
"classifier": "flowPolicyAssignment",
"description": "Unassign DaVinci policies from PingOne applications. When unassigned, a DaVinci policy no longer has control over the authentication experience for the PingOne application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:delete:signOnPolicyAssignment",
"classifier": "signOnPolicyAssignment",
"description": "Delete an assigned authentication policy from an application. Authentication policies define the sign-on requirements used to access an application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:application",
"classifier": "application",
"description": "Read the settings for an application in the environment.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:flowPolicyAssignment",
"classifier": "flowPolicyAssignment",
"description": "Read the assigned DaVinci policies for any PingOne application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:grant",
"classifier": "grant",
"description": "Read the resource scope that is assigned to an application. Resource scopes define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:pushCredentials",
"classifier": "pushCredentials",
"description": "Read push credentials for a mobile application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:secret",
"classifier": "secret",
"description": "Read the client secret for an application. Client secrets are used to authenticate an application with PingOne.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
],
"sensitive": true
},
{
"id": "applications:read:signOnPolicyAssignment",
"classifier": "signOnPolicyAssignment",
"description": "Read authentication policies that are assigned to an application. Authentication policies define the sign-on requirements used to access an application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:update:application",
"classifier": "application",
"description": "Update the settings for an application in the environment.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:update:flowPolicyAssignment",
"classifier": "flowPolicyAssignment",
"description": "Update the policy order for DaVinci policies assigned to PingOne applications. A PingOne application applies policies in their listed order from top to bottom.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:update:signOnPolicyAssignment",
"classifier": "signOnPolicyAssignment",
"description": "Update the authentication policy that is assigned to an application to change the sign-on requirements used to access an application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "authn:read:signOnPolicy",
"classifier": "signOnPolicy",
"description": "Read authentication policies, which define how user identities are verified at sign-on.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:adaptiveTrustPolicyAssignment",
"classifier": "adaptiveTrustPolicyAssignment",
"description": "Assign an adaptive access policy to an application. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:delete:adaptiveTrustPolicyAssignment",
"classifier": "adaptiveTrustPolicyAssignment",
"description": "Delete adaptive access policy assignments from an application. Policy assignments control which policies the application uses for adaptive access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:adaptiveTrustPolicyAssignment",
"classifier": "adaptiveTrustPolicyAssignment",
"description": "Read adaptive access policy assignments for an application. Policy assignments control which policies the application uses for adaptive access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:apiServer",
"classifier": "apiServer",
"description": "Read details for an API service and its associated operations, including the name, base URLs, and directory and token source.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:read:customDomain",
"classifier": "customDomain",
"description": "Read the custom domain for the environment and see the corresponding custom service URLs. If enabled, custom domains replace pingone in the address bar.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "certmgt:read:certificate",
"classifier": "certificate",
"description": "Read the metadata for a certificate and export the certificate as an X509 certificate. Certificates are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "certmgt:read:key",
"classifier": "key",
"description": "Read the metadata for a key pair and download it as an X509 certificate. Key pairs are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "dir:read:group",
"classifier": "group",
"description": "Read a group in the environment. Groups are used to organize a collection of user identities.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:schema",
"classifier": "schema",
"description": "Read the schema for the environment, including its attributes. A schema defines the user attributes in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "flowPolicies:read:flowPolicy",
"classifier": "flowPolicy",
"description": "Read all DaVinci policies that are configured for use with PingOne applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "image:create:image",
"classifier": "image",
"description": "Upload an image to PingOne for an environment. The image can be used by other services within the environment, such as user profile.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "image:read:image",
"classifier": "image",
"description": "View any image that has been uploaded to PingOne for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "integrations:read:integration",
"classifier": "integration",
"description": "Read a list of product integration kits, versions, and items in the application catalog.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "permissions:read:applicationRoleAssignments",
"classifier": "applicationRoleAssignments",
"description": "Read admin roles that are assigned to an application scope, including the role permissions. Roles are used by worker applications only.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "permissions:read:roles",
"classifier": "roles",
"description": "Read a list of custom roles for the environment.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "resources:read:attribute",
"classifier": "attribute",
"description": "Read a list of custom attributes for a resource. Custom resource attributes are mapped as claims in access tokens to convey additional information about their use to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:read:resource",
"classifier": "resource",
"description": "Read the resources in the environment. Resources are protected endpoints that applications can access using OAuth 2 authorization services.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:read:scope",
"classifier": "scope",
"description": "Read the scope for a resource. Resource scopes can be associated with applications and define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:read:secret",
"classifier": "secret",
"description": "Read the client secret for a resource. Client secrets are used to authenticate a resource with PingOne.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/b4766c28-4c05-4bf8-a285-312217341d03"
}
},
"id": "b4766c28-4c05-4bf8-a285-312217341d03",
"name": "Authorize Gateway Policy Evaluator",
"description": "This role grants the minimum permissions required for Authorize gateways to interact with PingOne, which includes reading gateway configuration and deployment details. To grant an Authorize gateway additional policy evaluation permissions, such as reading user details, checking group membership, and evaluating risk scores, create a custom role based on the Authorize Gateway Policy Evaluator role.",
"applicableTo": [
"ENVIRONMENT"
],
"permissions": [
{
"id": "authz:read:authorizeDeployment",
"classifier": "authorizeDeployment",
"description": "Read PingOne Authorize Gateway Deployment",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "gateways:read:gateway",
"classifier": "gateway",
"description": "Read the configuration details of all PingOne gateways. Gateways connect your on-premise infrastructure to PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/b5057d0d-7281-47f6-9398-8a7e4cb71397"
}
},
"id": "b5057d0d-7281-47f6-9398-8a7e4cb71397",
"name": "Client Application Developer",
"description": "A role for managing API client applications. The permissions for a client application developer are centered around managing applications and include functions such as creating and deleting client applications and resetting a client secret for an application.",
"applicableTo": [
"ENVIRONMENT"
],
"permissions": [
{
"id": "admin:read:config",
"classifier": "config",
"description": "Read the administrator security settings used for accessing the admin console.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationEntitlement",
"classifier": "applicationEntitlement",
"description": "Query a user's entitled application permissions, which control the actions the user can take in applications and APIs. Application permissions are defined on resources and assigned through application roles.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationPermission",
"classifier": "applicationPermission",
"description": "List application permissions and read permission details, including permission descriptions, actions, and resources.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationResource",
"classifier": "applicationResource",
"description": "List application resources and read resource details, including resource names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRole",
"classifier": "applicationRole",
"description": "List application roles and read role details, including role names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRoleAssignment",
"classifier": "applicationRoleAssignment",
"description": "Read application roles that are assigned to a user, including the role permissions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRoleEntry",
"classifier": "applicationRoleEntry",
"description": "List permissions for an application role.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:create:application",
"classifier": "application",
"description": "Create an application in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:create:flowPolicyAssignment",
"classifier": "flowPolicyAssignment",
"description": "Assign DaVinci policies to PingOne applications. When assigned, a DaVinci policy controls which DaVinci flow a PingOne application uses for authentication.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:create:grant",
"classifier": "grant",
"description": "Assign a resource scope to an application. Resource scopes define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:create:pushCredentials",
"classifier": "pushCredentials",
"description": "Create push credentials for a mobile application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:create:signOnPolicyAssignment",
"classifier": "signOnPolicyAssignment",
"description": "Assign an authentication policy that defines the sign-on requirements used to access an application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:delete:application",
"classifier": "application",
"description": "Delete an application from the environment.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:delete:flowPolicyAssignment",
"classifier": "flowPolicyAssignment",
"description": "Unassign DaVinci policies from PingOne applications. When unassigned, a DaVinci policy no longer has control over the authentication experience for the PingOne application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:delete:grant",
"classifier": "grant",
"description": "Delete an assigned resource scope from an application. Resource scopes define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:delete:pushCredentials",
"classifier": "pushCredentials",
"description": "Delete push credentials for a mobile application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:delete:secret",
"classifier": "secret",
"description": "Revoke the previous client secret for an application before it expires. Client secrets are used to authenticate an application with PingOne and can be revoked when a new secret is generated.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "applications:delete:signOnPolicyAssignment",
"classifier": "signOnPolicyAssignment",
"description": "Delete an assigned authentication policy from an application. Authentication policies define the sign-on requirements used to access an application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:application",
"classifier": "application",
"description": "Read the settings for an application in the environment.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:flowPolicyAssignment",
"classifier": "flowPolicyAssignment",
"description": "Read the assigned DaVinci policies for any PingOne application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:grant",
"classifier": "grant",
"description": "Read the resource scope that is assigned to an application. Resource scopes define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:pushCredentials",
"classifier": "pushCredentials",
"description": "Read push credentials for a mobile application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:secret",
"classifier": "secret",
"description": "Read the client secret for an application. Client secrets are used to authenticate an application with PingOne.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
],
"sensitive": true
},
{
"id": "applications:read:signOnPolicyAssignment",
"classifier": "signOnPolicyAssignment",
"description": "Read authentication policies that are assigned to an application. Authentication policies define the sign-on requirements used to access an application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:update:application",
"classifier": "application",
"description": "Update the settings for an application in the environment.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:update:flowPolicyAssignment",
"classifier": "flowPolicyAssignment",
"description": "Update the policy order for DaVinci policies assigned to PingOne applications. A PingOne application applies policies in their listed order from top to bottom.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:update:grant",
"classifier": "grant",
"description": "Change the resource scopes that are assigned to an application. Resource scopes define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:update:pushCredentials",
"classifier": "pushCredentials",
"description": "Update push credentials for a mobile application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:update:secret",
"classifier": "secret",
"description": "Create a new client secret for an application. Client secrets are used to authenticate an application with PingOne.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "applications:update:signOnPolicyAssignment",
"classifier": "signOnPolicyAssignment",
"description": "Update the authentication policy that is assigned to an application to change the sign-on requirements used to access an application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "authn:read:signOnPolicy",
"classifier": "signOnPolicy",
"description": "Read authentication policies, which define how user identities are verified at sign-on.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:accessTokenProvider",
"classifier": "accessTokenProvider",
"description": "Create access token providers. Providers for access tokens generated outside of PingOne are used in conjunction with API services in PingOne Authorize to control access to APIs.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:adaptiveTrustPolicy",
"classifier": "adaptiveTrustPolicy",
"description": "Create an adaptive access policy. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:adaptiveTrustPolicyAssignment",
"classifier": "adaptiveTrustPolicyAssignment",
"description": "Assign an adaptive access policy to an application. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:apiServer",
"classifier": "apiServer",
"description": "Create an API service and associated operations, which represent an HTTP API with access control handled by PingOne Authorize.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:delete:accessTokenProvider",
"classifier": "accessTokenProvider",
"description": "Delete access token providers. Providers for access tokens generated outside of PingOne are used in conjunction with API services in PingOne Authorize to control access to APIs.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:delete:adaptiveTrustPolicy",
"classifier": "adaptiveTrustPolicy",
"description": "Delete an adaptive access policy. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:adaptiveTrustPolicyAssignment",
"classifier": "adaptiveTrustPolicyAssignment",
"description": "Delete adaptive access policy assignments from an application. Policy assignments control which policies the application uses for adaptive access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:apiServer",
"classifier": "apiServer",
"description": "Delete an API service and its associated operations, decision endpoint, and policy tree.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:deploy:apiServerDeployment",
"classifier": "apiServerDeployment",
"description": "Deploy API service configuration updates and policies to the API service's decision endpoint.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:accessTokenProvider",
"classifier": "accessTokenProvider",
"description": "Read details for access token providers. Providers for access tokens generated outside of PingOne are used in conjunction with API services in PingOne Authorize to control access to APIs.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:adaptiveTrustPolicy",
"classifier": "adaptiveTrustPolicy",
"description": "Read configuration details for adaptive access policies. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:adaptiveTrustPolicyAssignment",
"classifier": "adaptiveTrustPolicyAssignment",
"description": "Read adaptive access policy assignments for an application. Policy assignments control which policies the application uses for adaptive access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:apiServer",
"classifier": "apiServer",
"description": "Read details for an API service and its associated operations, including the name, base URLs, and directory and token source.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:apiServerDeployment",
"classifier": "apiServerDeployment",
"description": "Read an API service's deployment status.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:accessTokenProvider",
"classifier": "accessTokenProvider",
"description": "Update access token providers. Providers for access tokens generated outside of PingOne are used in conjunction with API services in PingOne Authorize to control access to APIs.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:adaptiveTrustPolicy",
"classifier": "adaptiveTrustPolicy",
"description": "Update an adaptive access policy. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:apiServer",
"classifier": "apiServer",
"description": "Update details for an API service and its associated operations, including the name, base URLs, and basic rules.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:read:brandingSettings",
"classifier": "brandingSettings",
"description": "Read the company name and logo for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:read:customDomain",
"classifier": "customDomain",
"description": "Read the custom domain for the environment and see the corresponding custom service URLs. If enabled, custom domains replace pingone in the address bar.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:read:theme",
"classifier": "theme",
"description": "Read the themes available for an environment. Themes dictate the colors and images used on the registration pages, sign-on pages, and verification pages for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "certmgt:read:certificate",
"classifier": "certificate",
"description": "Read the metadata for a certificate and export the certificate as an X509 certificate. Certificates are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "certmgt:read:key",
"classifier": "key",
"description": "Read the metadata for a key pair and download it as an X509 certificate. Key pairs are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "dir:read:group",
"classifier": "group",
"description": "Read a group in the environment. Groups are used to organize a collection of user identities.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:population",
"classifier": "population",
"description": "Read a list of populations in the environment. A population defines a set of users, and a user can belong to one population only.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:schema",
"classifier": "schema",
"description": "Read the schema for the environment, including its attributes. A schema defines the user attributes in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "enduseruiconfig:read:configs",
"classifier": "configs",
"description": "View the Self Service and Application Portal pages.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "flowPolicies:read:flowPolicy",
"classifier": "flowPolicy",
"description": "Read all DaVinci policies that are configured for use with PingOne applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:read:form",
"classifier": "form",
"description": "Get a list of available DaVinci forms.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:read:recaptchaV2Config",
"classifier": "recaptchaV2Config",
"description": "Read the values for the Site Key and Secret Key fields of all Google reCAPTCHA verifications embedded in any DaVinci forms in a PingOne environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "identityProviders:create:identityProvider",
"classifier": "identityProvider",
"description": "Create an identity provider (IdP) resource. External IdP connections allow users to authenticate with PingOne using credentials provided by the IdP when configured as part of an authentication policy.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "identityProviders:delete:identityProvider",
"classifier": "identityProvider",
"description": "Delete an identity provider (IdP) resource. Users will no longer be able to use the external IdP connection to authenticate using credentials provided by the IdP.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "identityProviders:read:identityProvider",
"classifier": "identityProvider",
"description": "Read identity provider (IdP) resources. External IdP connections allow users to authenticate to PingOne using credentials provided by the external IdP.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "identityProviders:update:identityProvider",
"classifier": "identityProvider",
"description": "Update an identity provider (IdP) resource to change how users authenticate to PingOne using the credentials provided by the IdP.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "image:create:image",
"classifier": "image",
"description": "Upload an image to PingOne for an environment. The image can be used by other services within the environment, such as user profile.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "image:delete:image",
"classifier": "image",
"description": "Delete any image that has been uploaded to PingOne for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "image:read:image",
"classifier": "image",
"description": "View any image that has been uploaded to PingOne for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "integrations:read:integration",
"classifier": "integration",
"description": "Read a list of product integration kits, versions, and items in the application catalog.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "osmosis:read:rule",
"classifier": "rule",
"description": "Read a provisioning rule. A provisioning rule defines which users are provisioned and how attributes are mapped between PingOne and the external identity store.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "permissions:read:applicationRoleAssignments",
"classifier": "applicationRoleAssignments",
"description": "Read admin roles that are assigned to an application scope, including the role permissions. Roles are used by worker applications only.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "permissions:read:roles",
"classifier": "roles",
"description": "Read a list of custom roles for the environment.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "permissions:read:userRoleAssignments",
"classifier": "userRoleAssignments",
"description": "Read admin roles that are assigned to a user, including the role permissions.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "permissions:update:applicationRoleAssignments",
"classifier": "applicationRoleAssignments",
"description": "Assign or revoke admin roles for an application scope. Roles are used by worker applications only.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "pingenterprise:read:orchestration",
"classifier": "orchestration",
"description": "Retrieve Orchestration flow for Ping Enterprise deployment",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingintelligence:read:orchestration",
"classifier": "orchestration",
"description": "Retrieve Orchestration flow for Ping Intelligence deployment",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "resources:create:attribute",
"classifier": "attribute",
"description": "Create an attribute for a custom resource. Custom resource attributes are mapped as claims in access tokens to convey additional information about their use to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:create:resource",
"classifier": "resource",
"description": "Create a resource. Resources are protected endpoints that applications can access using OAuth 2 authorization services.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:create:scope",
"classifier": "scope",
"description": "Create a scope for a resource. Resource scopes can be associated with applications and define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:delete:attribute",
"classifier": "attribute",
"description": "Delete a custom attribute from a resource. Custom resource attributes are mapped as claims in access tokens to convey additional information about their use to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:delete:resource",
"classifier": "resource",
"description": "Delete a resource. Resources are protected endpoints that applications can access using OAuth 2 authorization services.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:delete:scope",
"classifier": "scope",
"description": "Delete a scope from a resource. Resource scopes can be associated with applications and define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:delete:secret",
"classifier": "secret",
"description": "Revoke the previous client secret for an application resource before it expires. Client secrets are used to authenticate a resource with PingOne and can be revoked when a new secret is generated.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "resources:read:attribute",
"classifier": "attribute",
"description": "Read a list of custom attributes for a resource. Custom resource attributes are mapped as claims in access tokens to convey additional information about their use to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:read:resource",
"classifier": "resource",
"description": "Read the resources in the environment. Resources are protected endpoints that applications can access using OAuth 2 authorization services.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:read:scope",
"classifier": "scope",
"description": "Read the scope for a resource. Resource scopes can be associated with applications and define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:read:secret",
"classifier": "secret",
"description": "Read the client secret for a resource. Client secrets are used to authenticate a resource with PingOne.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "resources:update:attribute",
"classifier": "attribute",
"description": "Update an attribute for a custom resource. Custom resource attributes are mapped as claims in access tokens to convey additional information about their use to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:update:resource",
"classifier": "resource",
"description": "Update the configuration of a resource. Resources are the protected endpoints that applications can access using OAuth 2 authorization services.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:update:scope",
"classifier": "scope",
"description": "Update the scope for a resource. Resource scopes can be associated with applications and define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:update:secret",
"classifier": "secret",
"description": "Create a new client secret for a resource. Client secrets are used to authenticate a resource with PingOne.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "solutions:read:config",
"classifier": "config",
"description": "Read the configuration data for the CIAM or workforce Getting Started experiences, such as the flows used for registration, authentication, profile management, and account recovery.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "solutions:read:flow",
"classifier": "flow",
"description": "Read the list of flows available as part of the getting started experience in the admin console.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "solutions:read:token",
"classifier": "token",
"description": "Retrieve a DaVinci access token.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "solutions:update:config",
"classifier": "config",
"description": "Update the configuration of the customer or workforce Getting Started experience to use different flows for registration, authentication, profile management, or account recovery.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "visualization:create:exploration",
"classifier": "exploration",
"description": "Create a data exploration object for use with dashboards and report generation.",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:authentication",
"classifier": "authentication",
"description": "View the Authentication dashboard. The Authentication dashboard shows a summary of sign-on activity through PingOne and additional authentication metrics for the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "visualization:read:dashboard",
"classifier": "dashboard",
"description": "See dashboards",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:exploration",
"classifier": "exploration",
"description": "Read the data for a data exploration object. Data exploration objects are used with dashboards and report generation.",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:template",
"classifier": "template",
"description": "Read data exploration template",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:userDemographics",
"classifier": "userDemographics",
"description": "Read the User Demographics dashboard and user demographic data. User demographic data provides information on the distribution of users by population and operating system and browser usage by service.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/7aba580c-5ec7-4b26-987d-85f462767455"
}
},
"id": "7aba580c-5ec7-4b26-987d-85f462767455",
"name": "Configuration Read Only",
"description": "A subset of the Environment Admin role, but with read-only permissions. For example, the Environment Admin role can read, update, and delete environments, but the Configuration Read Only role can read environment data only. Admins with the Environment Admin or Configuration Read Only role can assign the Configuration Read Only role to users.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "admin:read:config",
"classifier": "config",
"description": "Read the administrator security settings used for accessing the admin console.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "agreements:read:agreement",
"classifier": "agreement",
"description": "Read agreements that users must consent to as part of an authentication policy or flow.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "alerting:read:channel",
"classifier": "channel",
"description": "Read alert channels to view the types of events that will trigger an alert and the list of email addresses where the alerts will be sent.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationEntitlement",
"classifier": "applicationEntitlement",
"description": "Query a user's entitled application permissions, which control the actions the user can take in applications and APIs. Application permissions are defined on resources and assigned through application roles.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationPermission",
"classifier": "applicationPermission",
"description": "List application permissions and read permission details, including permission descriptions, actions, and resources.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationResource",
"classifier": "applicationResource",
"description": "List application resources and read resource details, including resource names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRole",
"classifier": "applicationRole",
"description": "List application roles and read role details, including role names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRoleAssignment",
"classifier": "applicationRoleAssignment",
"description": "Read application roles that are assigned to a user, including the role permissions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRoleEntry",
"classifier": "applicationRoleEntry",
"description": "List permissions for an application role.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:read:application",
"classifier": "application",
"description": "Read the settings for an application in the environment.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:flowPolicyAssignment",
"classifier": "flowPolicyAssignment",
"description": "Read the assigned DaVinci policies for any PingOne application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:grant",
"classifier": "grant",
"description": "Read the resource scope that is assigned to an application. Resource scopes define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:pushCredentials",
"classifier": "pushCredentials",
"description": "Read push credentials for a mobile application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:secret",
"classifier": "secret",
"description": "Read the client secret for an application. Client secrets are used to authenticate an application with PingOne.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
],
"sensitive": true
},
{
"id": "applications:read:signOnPolicyAssignment",
"classifier": "signOnPolicyAssignment",
"description": "Read authentication policies that are assigned to an application. Authentication policies define the sign-on requirements used to access an application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "audit_reporting:read:activity",
"classifier": "activity",
"description": "Access to the audit report and event content including PII.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authn:read:signOnPolicy",
"classifier": "signOnPolicy",
"description": "Read authentication policies, which define how user identities are verified at sign-on.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:accessTokenProvider",
"classifier": "accessTokenProvider",
"description": "Read details for access token providers. Providers for access tokens generated outside of PingOne are used in conjunction with API services in PingOne Authorize to control access to APIs.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:adaptiveTrustPolicy",
"classifier": "adaptiveTrustPolicy",
"description": "Read configuration details for adaptive access policies. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:adaptiveTrustPolicyAssignment",
"classifier": "adaptiveTrustPolicyAssignment",
"description": "Read adaptive access policy assignments for an application. Policy assignments control which policies the application uses for adaptive access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:apiServer",
"classifier": "apiServer",
"description": "Read details for an API service and its associated operations, including the name, base URLs, and directory and token source.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:apiServerDeployment",
"classifier": "apiServerDeployment",
"description": "Read an API service's deployment status.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationAttribute",
"classifier": "authorizationAttribute",
"description": "Read configuration details for authorization attributes in the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationCondition",
"classifier": "authorizationCondition",
"description": "Read configuration details for authorization conditions in the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationPolicy",
"classifier": "authorizationPolicy",
"description": "Read configuration details for authorization policies. Authorization policies define the context and logic used to control access to application resources.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationProcessor",
"classifier": "authorizationProcessor",
"description": "Read configuration details for authorization processors in the Trust Framework. Authorization processors transform data returned from authorization attributes and services.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationRule",
"classifier": "authorizationRule",
"description": "Read configuration details for authorization rules. Authorization rules use conditions or in-line comparisons to define authorization policy logic.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationService",
"classifier": "authorizationService",
"description": "Read configuration details for authorization services in the Trust Framework. Authorization services connect to data sources used in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationStatement",
"classifier": "authorizationStatement",
"description": "Read configuration details for authorization statements. Authorization statements provide additional processing instructions in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizeDeployment",
"classifier": "authorizeDeployment",
"description": "Read PingOne Authorize Gateway Deployment",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:decisionendpoint",
"classifier": "decisionendpoint",
"description": "Read details for a decision endpoint, including its name, description, policy version deployed, and whether recent decisions are recorded.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "authz:read:deploymentpackage",
"classifier": "deploymentpackage",
"description": "Read the deployment package of policies and Trust Framework definitions associated with a specific authorization version.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:entity",
"classifier": "entity",
"description": "Read details about an authorization service, attribute, condition, processor, policy set, policy, rule, statement, or target.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:recentdecisions",
"classifier": "recentdecisions",
"description": "Read details about the decision flow and elements used in recent decisions for a decision endpoint.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:tag",
"classifier": "tag",
"description": "Read an authorization version name.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:version",
"classifier": "version",
"description": "Read details about an authorization version, including the entity that changed, the date and time, and the user who made the change.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "branding:read:brandingSettings",
"classifier": "brandingSettings",
"description": "Read the company name and logo for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:read:customDomain",
"classifier": "customDomain",
"description": "Read the custom domain for the environment and see the corresponding custom service URLs. If enabled, custom domains replace pingone in the address bar.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:read:theme",
"classifier": "theme",
"description": "Read the themes available for an environment. Themes dictate the colors and images used on the registration pages, sign-on pages, and verification pages for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "certmgt:read:certificate",
"classifier": "certificate",
"description": "Read the metadata for a certificate and export the certificate as an X509 certificate. Certificates are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "certmgt:read:key",
"classifier": "key",
"description": "Read the metadata for a key pair and download it as an X509 certificate. Key pairs are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "certmgt:read:krp",
"classifier": "krp",
"description": "Read a list of key rotation policies in the environment. PingOne uses key rotation to automatically generate new cryptographic keys at a particular interval.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:credentialSigningKey",
"classifier": "credentialSigningKey",
"description": "Read a credential signing key for an environment. Credential signing keys sign a verifiable credential using a customer-provided service.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:credentialType",
"classifier": "credentialType",
"description": "Read a credential type for an environment. A credential type defines a template that is used when creating or updating a user credential.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:credentials",
"classifier": "credentials",
"description": "Read a credential. Credentials allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation..",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:read:digitalWallet",
"classifier": "digitalWallet",
"description": "Read a digital wallet for a user. A digital wallet links an instance of a digital wallet application to a user. ",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:read:digitalWalletApplication",
"classifier": "digitalWalletApplication",
"description": "Read a digital wallet application. A digital wallet application defines the relationship between a user's digital wallet and a customer's PingOne application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:issuanceRule",
"classifier": "issuanceRule",
"description": "Read an issuance rule for a credential type. Issuance rules are used to issue credentials to a specified group, population or SCIM filter.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:issuerProfile",
"classifier": "issuerProfile",
"description": "Read the environment profile used for issuing user credentials.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsVerification:read:presentationSession",
"classifier": "presentationSession",
"description": "Read a Verification Session. Verification Sessions allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:read:group",
"classifier": "group",
"description": "Read a group in the environment. Groups are used to organize a collection of user identities.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:groupSyncedRules",
"classifier": "groupSyncedRules",
"description": "get group's provisioning rule sync status",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:passwordPolicy",
"classifier": "passwordPolicy",
"description": "Read a list of password policies for the environment. A password policy dictates the strength and complexity requirements for a password or passphrase.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:read:population",
"classifier": "population",
"description": "Read a list of populations in the environment. A population defines a set of users, and a user can belong to one population only.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:schema",
"classifier": "schema",
"description": "Read the schema for the environment, including its attributes. A schema defines the user attributes in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:read:userSyncedStores",
"classifier": "userSyncedStores",
"description": "get user's target store sync status",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "earlyAccess:read:features",
"classifier": "features",
"description": "Read the early access features applicable to an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "enduseruiconfig:read:configs",
"classifier": "configs",
"description": "View the Self Service and Application Portal pages.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "externalServices:read:externalService",
"classifier": "externalService",
"description": "Read a external service(s)",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "externalServices:read:secrets",
"classifier": "secrets",
"description": "Read external service secrets",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "flowPolicies:read:flowPolicy",
"classifier": "flowPolicy",
"description": "Read all DaVinci policies that are configured for use with PingOne applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:read:form",
"classifier": "form",
"description": "Get a list of available DaVinci forms.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:read:recaptchaV2Config",
"classifier": "recaptchaV2Config",
"description": "Read the values for the Site Key and Secret Key fields of all Google reCAPTCHA verifications embedded in any DaVinci forms in a PingOne environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "gateways:read:gateway",
"classifier": "gateway",
"description": "Read the configuration details of all PingOne gateways. Gateways connect your on-premise infrastructure to PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "identityProviders:read:identityProvider",
"classifier": "identityProvider",
"description": "Read identity provider (IdP) resources. External IdP connections allow users to authenticate to PingOne using credentials provided by the external IdP.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "idverifications:read:verifyPolicy",
"classifier": "verifyPolicy",
"description": "Read a PingOne Verify policy.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:read:voicePhrase",
"classifier": "voicePhrase",
"description": "Read the template that defines the phrase the user speaks during voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:read:voicePhraseContent",
"classifier": "voicePhraseContent",
"description": "Read the phrase that the user speaks aloud for voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "image:read:image",
"classifier": "image",
"description": "View any image that has been uploaded to PingOne for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "integrations:read:integration",
"classifier": "integration",
"description": "Read a list of product integration kits, versions, and items in the application catalog.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "langmgt:read:language",
"classifier": "language",
"description": "Read a list of languages that are currently configured for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "mfa:read:deviceAuthenticationPolicy",
"classifier": "deviceAuthenticationPolicy",
"description": "Read an MFA policy. MFA policies are used to define and configure the authentication methods used in your authentication policy.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:read:fidoDeviceMetadata",
"classifier": "fidoDeviceMetadata",
"description": "Read FIDO device metadata.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:read:fidoPolicy",
"classifier": "fidoPolicy",
"description": "Read a FIDO policy. FIDO policies define which FIDO devices and authenticators can be used for registration and authentication.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:read:mfaSettings",
"classifier": "mfaSettings",
"description": "Read MFA settings.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:read:oathJob",
"classifier": "oathJob",
"description": "Retrieve an OATH Job",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:read:oathToken",
"classifier": "oathToken",
"description": "Read an OATH token that has been added to the environment. Relevant only for environments that include PingID.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:read:emailDomain",
"classifier": "emailDomain",
"description": "Read the email domains. Email domains are used for sending out email notifications to your users.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:read:notificationsPolicy",
"classifier": "notificationsPolicy",
"description": "Read notification policies. Notification policies are used to limit the number of SMS/voice or email notifications that can be sent per day.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:read:notificationsSettings",
"classifier": "notificationsSettings",
"description": "Read fallback order for SMS/Voice providers and 'from' and 'reply to' fields for email notifications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:read:quota",
"classifier": "quota",
"description": "Read the daily notification quota set in notification policy.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:read:template",
"classifier": "template",
"description": "Read a notification template. Notification templates are used to inform users about certain events in PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:read:templateContent",
"classifier": "templateContent",
"description": "Read the content of a notification template. Notification templates are used to inform users about some event types in PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "osmosis:read:mapping",
"classifier": "mapping",
"description": "Read the attribute mapping for a provisioning rule. Attribute mapping defines how attributes from an external identity store correspond to attributes in PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:read:plan",
"classifier": "plan",
"description": "Read a provisioning plan. A provisioning plan is a list of all the provisioning rules in an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:read:rule",
"classifier": "rule",
"description": "Read a provisioning rule. A provisioning rule defines which users are provisioned and how attributes are mapped between PingOne and the external identity store.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:read:store",
"classifier": "store",
"description": "Read a provisioning connection. A provisioning connection includes authorization information for the connection type and configuration options, such as provisioning and deprovisioning actions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "permissions:read:applicationRoleAssignments",
"classifier": "applicationRoleAssignments",
"description": "Read admin roles that are assigned to an application scope, including the role permissions. Roles are used by worker applications only.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "permissions:read:gatewayRoleAssignments",
"classifier": "gatewayRoleAssignments",
"description": "Read the list of roles and the associated permissions associated with a gateway scope. The gateway scope defines the attributes that can be accessed in the external LDAP directory.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "permissions:read:roles",
"classifier": "roles",
"description": "Read a list of custom roles for the environment.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "permissions:read:userRoleAssignments",
"classifier": "userRoleAssignments",
"description": "Read admin roles that are assigned to a user, including the role permissions.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "pingenterprise:read:orchestration",
"classifier": "orchestration",
"description": "Retrieve Orchestration flow for Ping Enterprise deployment",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingintelligence:read:orchestration",
"classifier": "orchestration",
"description": "Retrieve Orchestration flow for Ping Intelligence deployment",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "promotion:read:promotion",
"classifier": "promotion",
"description": "Read environment promotion details, such as which environment resources were promoted from one environment to another.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:read:promotionConfiguration",
"classifier": "promotionConfiguration",
"description": "Read environment-specific configuration data for promotion. Environment promotion ensures the smooth transition of configuration data between environments.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:read:promotionVariable",
"classifier": "promotionVariable",
"description": "Read environment promotion variables. Promotion variables are used to define attributes that must have different values in different environments.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:read:snapshot",
"classifier": "snapshot",
"description": "Read snapshots of environment resources. A snapshot is a record of the configuration for the resource at a specific point in time.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "resources:read:attribute",
"classifier": "attribute",
"description": "Read a list of custom attributes for a resource. Custom resource attributes are mapped as claims in access tokens to convey additional information about their use to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:read:resource",
"classifier": "resource",
"description": "Read the resources in the environment. Resources are protected endpoints that applications can access using OAuth 2 authorization services.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:read:scope",
"classifier": "scope",
"description": "Read the scope for a resource. Resource scopes can be associated with applications and define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:read:secret",
"classifier": "secret",
"description": "Read the client secret for a resource. Client secrets are used to authenticate a resource with PingOne.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "risk:read:policy",
"classifier": "policy",
"description": "Read risk policies, which are used in risk evaluations.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:read:predictor",
"classifier": "predictor",
"description": "Read risk predictors, which are used in risk policies.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "solutions:read:config",
"classifier": "config",
"description": "Read the configuration data for the CIAM or workforce Getting Started experiences, such as the flows used for registration, authentication, profile management, and account recovery.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "solutions:read:flow",
"classifier": "flow",
"description": "Read the list of flows available as part of the getting started experience in the admin console.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "solutions:read:token",
"classifier": "token",
"description": "Retrieve a DaVinci access token.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "subscriptions:read:subscription",
"classifier": "subscription",
"description": "Read webhook information. Webhooks are used to subscribe to events of interest in PingOne and push the event information to an external monitoring system.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "visualization:create:exploration",
"classifier": "exploration",
"description": "Create a data exploration object for use with dashboards and report generation.",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:authentication",
"classifier": "authentication",
"description": "View the Authentication dashboard. The Authentication dashboard shows a summary of sign-on activity through PingOne and additional authentication metrics for the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "visualization:read:dashboard",
"classifier": "dashboard",
"description": "See dashboards",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:exploration",
"classifier": "exploration",
"description": "Read the data for a data exploration object. Data exploration objects are used with dashboards and report generation.",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:template",
"classifier": "template",
"description": "Read data exploration template",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:userDemographics",
"classifier": "userDemographics",
"description": "Read the User Demographics dashboard and user demographic data. User demographic data provides information on the distribution of users by population and operating system and browser usage by service.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/6f770b08-793f-4393-b2aa-b1d1587a0324"
}
},
"id": "6f770b08-793f-4393-b2aa-b1d1587a0324",
"name": "Custom Roles Admin",
"description": "A role for managing custom roles, but not assigning them.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "permissions:create:roles",
"classifier": "roles",
"description": "Create a custom role for the environment.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "permissions:delete:roles",
"classifier": "roles",
"description": "Remove a custom role from the environment.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "permissions:read:roles",
"classifier": "roles",
"description": "Read a list of custom roles for the environment.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "permissions:update:roles",
"classifier": "roles",
"description": "Update the permissions that are included in a custom role for the environment.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/168d545c-8337-4a34-8426-9c173d60e331"
}
},
"id": "168d545c-8337-4a34-8426-9c173d60e331",
"name": "DaVinci Admin",
"description": "A role with full read and write access to the DaVinci console. Create, edit, and delete DaVinci flows, deploy DaVinci flows, create, edit, and delete connections and variables.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "branding:read:brandingSettings",
"classifier": "brandingSettings",
"description": "Read the company name and logo for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:read:theme",
"classifier": "theme",
"description": "Read the themes available for an environment. Themes dictate the colors and images used on the registration pages, sign-on pages, and verification pages for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "davinci:create:applications",
"classifier": "applications",
"description": "Create DaVinci applications",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:create:connections",
"classifier": "connections",
"description": "Create a new DaVinci connector for an environment and make it available for use in all DaVinci flows.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:create:constructs",
"classifier": "constructs",
"description": "Create variables of any available scope in an environment or using the Variables connector in a DaVinci flow.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:create:dvFlows",
"classifier": "dvFlows",
"description": "Create or import DaVinci flows in one or more environments. Add new connectors during the import process.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:create:flowPolicies",
"classifier": "flowPolicies",
"description": "Create DaVinci flow policies",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:create:uiTemplates",
"classifier": "uiTemplates",
"description": "Create user interface templates in DaVinci. UI templates can be used in a DaVinci flow to match your company style and branding.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:delete:applications",
"classifier": "applications",
"description": "Delete DaVinci applications",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:delete:connections",
"classifier": "connections",
"description": "Delete a connector instance from an environment. This operation renders the connector instance non-functional in DaVinci flows.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:delete:constructs",
"classifier": "constructs",
"description": "Delete any variables across the environment and within DaVinci flows.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:delete:dvFlows",
"classifier": "dvFlows",
"description": "Delete existing DaVinci flows.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:delete:dvUsers",
"classifier": "dvUsers",
"description": "Delete users from DaVinci. DaVinci users are end users created during a DaVinci flow and stored in DaVinci.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:delete:flowPolicies",
"classifier": "flowPolicies",
"description": "Delete DaVinci flow policies",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:delete:flowVersions",
"classifier": "flowVersions",
"description": "Delete DaVinci flow versions",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:delete:uiTemplates",
"classifier": "uiTemplates",
"description": "Delete user interface templates from DaVinci. The UI template can no longer be used in DaVinci flows.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:deploy:dvFlows",
"classifier": "dvFlows",
"description": "Publish versions of DaVinci flows to make them available for use in DaVinci applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:export:flowVersions",
"classifier": "flowVersions",
"description": "Export DaVinci flow versions",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:applications",
"classifier": "applications",
"description": "Read DaVinci applications",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:connections",
"classifier": "connections",
"description": "Read a list of all connectors added to an environment, including their configurations and containing DaVinci flows.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:connectors",
"classifier": "connectors",
"description": "Read DaVinci connectors",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:constructs",
"classifier": "constructs",
"description": "Read all variables and their values across the environment and within DaVinci flows.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:dvFlows",
"classifier": "dvFlows",
"description": "Read all DaVinci flows and their internal configurations. Also allows you to export flows.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:dvUsers",
"classifier": "dvUsers",
"description": "Read DaVinci users. DaVinci users are end users created during a DaVinci flow and stored in DaVinci.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:events",
"classifier": "events",
"description": "Read auditing information for the admin portal. This includes all events that generate an audit log entry, including the creation or modification of a flow, flow policy, or connector.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:flowPolicies",
"classifier": "flowPolicies",
"description": "Read DaVinci flow policies",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:flowVersions",
"classifier": "flowVersions",
"description": "Read DaVinci flow versions",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:interactionEvents",
"classifier": "interactionEvents",
"description": "Read DaVinci flow analytics. Flow analytics display information about flow executions, including the nodes used, inputs, and outputs.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:stats",
"classifier": "stats",
"description": "Read administrator statistics about the admin portal. This includes the UI dashboard summary and data about the creation and use of flows, connectors, variables, and users.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:uiTemplates",
"classifier": "uiTemplates",
"description": "Read user interface templates in DaVinci. UI templates can be used in DaVinci flows to match your company style and branding.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:revert:flowVersions",
"classifier": "flowVersions",
"description": "Revert DaVinci flow versions",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:update:applications",
"classifier": "applications",
"description": "Update DaVinci applications",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:update:connections",
"classifier": "connections",
"description": "Update the environment-level configuration of a connector instance. These changes also affect any use of the connector in DaVinci flows.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:update:constructs",
"classifier": "constructs",
"description": "Update any variables across the environment and within DaVinci flows.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:update:dvFlows",
"classifier": "dvFlows",
"description": "Update the configuration and design of DaVinci flows and add, configure, or remove their subcomponents at the flow level.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:update:dvUsers",
"classifier": "dvUsers",
"description": "Update users in DaVinci. DaVinci users are end users created during a DaVinci flow and stored in DaVinci.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:update:flowPolicies",
"classifier": "flowPolicies",
"description": "Update DaVinci flow policies",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:update:flowVersions",
"classifier": "flowVersions",
"description": "Update DaVinci flow versions",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:update:uiTemplates",
"classifier": "uiTemplates",
"description": "Update user interface templates in DaVinci. UI templates can be used in DaVinci flows to match your company style and branding.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:read:schema",
"classifier": "schema",
"description": "Read the schema for the environment, including its attributes. A schema defines the user attributes in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:create:form",
"classifier": "form",
"description": "Create a DaVinci form.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:delete:form",
"classifier": "form",
"description": "Delete a DaVinci form.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:delete:recaptchaV2Config",
"classifier": "recaptchaV2Config",
"description": "Delete the values for the Site Key and Secret Key fields of all Google reCAPTCHA verifications embedded in any DaVinci forms in a PingOne environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:read:form",
"classifier": "form",
"description": "Get a list of available DaVinci forms.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:read:recaptchaV2Config",
"classifier": "recaptchaV2Config",
"description": "Read the values for the Site Key and Secret Key fields of all Google reCAPTCHA verifications embedded in any DaVinci forms in a PingOne environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:update:form",
"classifier": "form",
"description": "Update an existing DaVinci form.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:update:recaptchaV2Config",
"classifier": "recaptchaV2Config",
"description": "Update the values for the Site Key and Secret Key fields of all Google reCAPTCHA verifications embedded in any DaVinci forms in a PingOne environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "langmgt:read:language",
"classifier": "language",
"description": "Read a list of languages that are currently configured for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "langmgt:update:language",
"classifier": "language",
"description": "Enable or disable a language for an environment or set a language as the default.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
],
"canAssign": [
{
"id": "e23fed81-8c98-4c20-b823-8d29514ab5f6"
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/e23fed81-8c98-4c20-b823-8d29514ab5f6"
}
},
"id": "e23fed81-8c98-4c20-b823-8d29514ab5f6",
"name": "DaVinci Admin Read Only",
"description": "A role with read-only access to the DaVinci console. Read flows, connections, and variables.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "branding:read:brandingSettings",
"classifier": "brandingSettings",
"description": "Read the company name and logo for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:read:theme",
"classifier": "theme",
"description": "Read the themes available for an environment. Themes dictate the colors and images used on the registration pages, sign-on pages, and verification pages for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "davinci:read:applications",
"classifier": "applications",
"description": "Read DaVinci applications",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:connections",
"classifier": "connections",
"description": "Read a list of all connectors added to an environment, including their configurations and containing DaVinci flows.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:connectors",
"classifier": "connectors",
"description": "Read DaVinci connectors",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:constructs",
"classifier": "constructs",
"description": "Read all variables and their values across the environment and within DaVinci flows.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:dvFlows",
"classifier": "dvFlows",
"description": "Read all DaVinci flows and their internal configurations. Also allows you to export flows.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:dvUsers",
"classifier": "dvUsers",
"description": "Read DaVinci users. DaVinci users are end users created during a DaVinci flow and stored in DaVinci.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:events",
"classifier": "events",
"description": "Read auditing information for the admin portal. This includes all events that generate an audit log entry, including the creation or modification of a flow, flow policy, or connector.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:flowPolicies",
"classifier": "flowPolicies",
"description": "Read DaVinci flow policies",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:flowVersions",
"classifier": "flowVersions",
"description": "Read DaVinci flow versions",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:interactionEvents",
"classifier": "interactionEvents",
"description": "Read DaVinci flow analytics. Flow analytics display information about flow executions, including the nodes used, inputs, and outputs.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:stats",
"classifier": "stats",
"description": "Read administrator statistics about the admin portal. This includes the UI dashboard summary and data about the creation and use of flows, connectors, variables, and users.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "davinci:read:uiTemplates",
"classifier": "uiTemplates",
"description": "Read user interface templates in DaVinci. UI templates can be used in DaVinci flows to match your company style and branding.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:read:schema",
"classifier": "schema",
"description": "Read the schema for the environment, including its attributes. A schema defines the user attributes in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:read:form",
"classifier": "form",
"description": "Get a list of available DaVinci forms.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:read:recaptchaV2Config",
"classifier": "recaptchaV2Config",
"description": "Read the values for the Site Key and Secret Key fields of all Google reCAPTCHA verifications embedded in any DaVinci forms in a PingOne environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "langmgt:read:language",
"classifier": "language",
"description": "Read a list of languages that are currently configured for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/c8facf98-7e92-48ee-a5a0-0365be0bced3"
}
},
"id": "c8facf98-7e92-48ee-a5a0-0365be0bced3",
"name": "Editing access for PingOne for Enterprise",
"description": "Used only for SSO to PingOne for Enterprise in conjunction with another PingOne for Enterprise role. Adding this role provides the PingOne admin with write access permissions for the associated role in PingOne for Enterprise. Without this role, PingOne for Enterprise roles provide read-only access.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "p14e:admin:update",
"classifier": "update",
"description": "Use with a PingOne for Enterprise role permission. Enables write access for the PingOne admin in PingOne for Enterprise.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/29ddce68-cd7f-4b2a-b6fc-f7a19553b496"
}
},
"id": "29ddce68-cd7f-4b2a-b6fc-f7a19553b496",
"name": "Environment Admin",
"description": "A role for managing environments. The permissions for an environment administrator are centered around managing environments and include functions such as editing environments, managing populations, viewing password policies, and assigning certain roles.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"permissions": [
{
"id": "admin:read:config",
"classifier": "config",
"description": "Read the administrator security settings used for accessing the admin console.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "admin:update:config",
"classifier": "config",
"description": "Update the administrator security settings used for accessing the admin console.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "agreements:create:agreement",
"classifier": "agreement",
"description": "Create an agreement that users must consent to as part of an authentication policy or flow.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "agreements:delete:agreement",
"classifier": "agreement",
"description": "Delete an agreement that users must consent to as part of an authentication policy or flow.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "agreements:read:agreement",
"classifier": "agreement",
"description": "Read agreements that users must consent to as part of an authentication policy or flow.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "agreements:update:agreement",
"classifier": "agreement",
"description": "Update an agreement that users must consent to as part of an authentication policy or flow.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "alerting:create:channel",
"classifier": "channel",
"description": "Create an alert channel to define the types of events that will trigger an alert and to list email addresses where the alerts will be sent.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "alerting:delete:channel",
"classifier": "channel",
"description": "Delete an alert channel to stop sending alerts about events to a list of email addresses.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "alerting:read:channel",
"classifier": "channel",
"description": "Read alert channels to view the types of events that will trigger an alert and the list of email addresses where the alerts will be sent.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "alerting:update:channel",
"classifier": "channel",
"description": "Update an alert channel to change the types of events that will trigger an alert or to change the email addresses where the alerts will be sent.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:create:applicationPermission",
"classifier": "applicationPermission",
"description": "Create permissions that represent actions that can be taken on resources in external applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:create:applicationResource",
"classifier": "applicationResource",
"description": "Create resources that represent protected features in external applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:create:applicationRole",
"classifier": "applicationRole",
"description": "Create roles that group permissions for external applications by function.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:create:applicationRoleAssignment",
"classifier": "applicationRoleAssignment",
"description": "Assign application roles to users to grant the associated permissions for actions in external applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:create:applicationRoleEntry",
"classifier": "applicationRoleEntry",
"description": "Add permissions for external applications to application roles.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:delete:applicationPermission",
"classifier": "applicationPermission",
"description": "Delete application permissions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:delete:applicationResource",
"classifier": "applicationResource",
"description": "Delete application resources.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:delete:applicationRole",
"classifier": "applicationRole",
"description": "Delete application roles.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:delete:applicationRoleAssignment",
"classifier": "applicationRoleAssignment",
"description": "Remove application role assignments from users to revoke the associated permissions for actions in external applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:delete:applicationRoleEntry",
"classifier": "applicationRoleEntry",
"description": "Delete permissions from application roles.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationEntitlement",
"classifier": "applicationEntitlement",
"description": "Query a user's entitled application permissions, which control the actions the user can take in applications and APIs. Application permissions are defined on resources and assigned through application roles.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationPermission",
"classifier": "applicationPermission",
"description": "List application permissions and read permission details, including permission descriptions, actions, and resources.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationResource",
"classifier": "applicationResource",
"description": "List application resources and read resource details, including resource names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRole",
"classifier": "applicationRole",
"description": "List application roles and read role details, including role names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRoleAssignment",
"classifier": "applicationRoleAssignment",
"description": "Read application roles that are assigned to a user, including the role permissions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRoleEntry",
"classifier": "applicationRoleEntry",
"description": "List permissions for an application role.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:update:applicationPermission",
"classifier": "applicationPermission",
"description": "Update details for application permissions, including permission actions and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:update:applicationResource",
"classifier": "applicationResource",
"description": "Update details for application resources, including resource names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:update:applicationRole",
"classifier": "applicationRole",
"description": "Update details for application roles, including role names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:create:application",
"classifier": "application",
"description": "Create an application in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:create:flowPolicyAssignment",
"classifier": "flowPolicyAssignment",
"description": "Assign DaVinci policies to PingOne applications. When assigned, a DaVinci policy controls which DaVinci flow a PingOne application uses for authentication.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:create:grant",
"classifier": "grant",
"description": "Assign a resource scope to an application. Resource scopes define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:create:pushCredentials",
"classifier": "pushCredentials",
"description": "Create push credentials for a mobile application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:create:signOnPolicyAssignment",
"classifier": "signOnPolicyAssignment",
"description": "Assign an authentication policy that defines the sign-on requirements used to access an application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:delete:application",
"classifier": "application",
"description": "Delete an application from the environment.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:delete:flowPolicyAssignment",
"classifier": "flowPolicyAssignment",
"description": "Unassign DaVinci policies from PingOne applications. When unassigned, a DaVinci policy no longer has control over the authentication experience for the PingOne application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:delete:grant",
"classifier": "grant",
"description": "Delete an assigned resource scope from an application. Resource scopes define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:delete:pushCredentials",
"classifier": "pushCredentials",
"description": "Delete push credentials for a mobile application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:delete:secret",
"classifier": "secret",
"description": "Revoke the previous client secret for an application before it expires. Client secrets are used to authenticate an application with PingOne and can be revoked when a new secret is generated.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "applications:delete:signOnPolicyAssignment",
"classifier": "signOnPolicyAssignment",
"description": "Delete an assigned authentication policy from an application. Authentication policies define the sign-on requirements used to access an application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:issue:certificate",
"classifier": "certificate",
"description": "Issue a new KDC certificate",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "applications:read:application",
"classifier": "application",
"description": "Read the settings for an application in the environment.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:flowPolicyAssignment",
"classifier": "flowPolicyAssignment",
"description": "Read the assigned DaVinci policies for any PingOne application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:grant",
"classifier": "grant",
"description": "Read the resource scope that is assigned to an application. Resource scopes define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:pushCredentials",
"classifier": "pushCredentials",
"description": "Read push credentials for a mobile application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:read:secret",
"classifier": "secret",
"description": "Read the client secret for an application. Client secrets are used to authenticate an application with PingOne.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
],
"sensitive": true
},
{
"id": "applications:read:signOnPolicyAssignment",
"classifier": "signOnPolicyAssignment",
"description": "Read authentication policies that are assigned to an application. Authentication policies define the sign-on requirements used to access an application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:update:application",
"classifier": "application",
"description": "Update the settings for an application in the environment.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:update:flowPolicyAssignment",
"classifier": "flowPolicyAssignment",
"description": "Update the policy order for DaVinci policies assigned to PingOne applications. A PingOne application applies policies in their listed order from top to bottom.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "applications:update:grant",
"classifier": "grant",
"description": "Change the resource scopes that are assigned to an application. Resource scopes define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:update:pushCredentials",
"classifier": "pushCredentials",
"description": "Update push credentials for a mobile application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applications:update:secret",
"classifier": "secret",
"description": "Create a new client secret for an application. Client secrets are used to authenticate an application with PingOne.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "applications:update:signOnPolicyAssignment",
"classifier": "signOnPolicyAssignment",
"description": "Update the authentication policy that is assigned to an application to change the sign-on requirements used to access an application.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "audit_reporting:read:activity",
"classifier": "activity",
"description": "Access to the audit report and event content including PII.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authn:create:signOnPolicy",
"classifier": "signOnPolicy",
"description": "Create an authentication policy, which defines how user identities are verified at sign-on.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authn:delete:signOnPolicy",
"classifier": "signOnPolicy",
"description": "Delete an authentication policy.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authn:read:signOnPolicy",
"classifier": "signOnPolicy",
"description": "Read authentication policies, which define how user identities are verified at sign-on.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authn:update:signOnPolicy",
"classifier": "signOnPolicy",
"description": "Update an authentication policy to change how user identities are verified at sign-on.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:authorize:decisionendpoint",
"classifier": "decisionendpoint",
"description": "Make a decision request to a decision endpoint, initiating evaluation of policies deployed to the endpoint.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:create:accessTokenProvider",
"classifier": "accessTokenProvider",
"description": "Create access token providers. Providers for access tokens generated outside of PingOne are used in conjunction with API services in PingOne Authorize to control access to APIs.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:adaptiveTrustPolicy",
"classifier": "adaptiveTrustPolicy",
"description": "Create an adaptive access policy. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:adaptiveTrustPolicyAssignment",
"classifier": "adaptiveTrustPolicyAssignment",
"description": "Assign an adaptive access policy to an application. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:apiServer",
"classifier": "apiServer",
"description": "Create an API service and associated operations, which represent an HTTP API with access control handled by PingOne Authorize.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:authorizationAttribute",
"classifier": "authorizationAttribute",
"description": "Create an authorization attribute in the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:authorizationCondition",
"classifier": "authorizationCondition",
"description": "Create an authorization condition in the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:authorizationPolicy",
"classifier": "authorizationPolicy",
"description": "Create an authorization policy. Authorization policies define the context and logic used to control access to application resources.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:authorizationProcessor",
"classifier": "authorizationProcessor",
"description": "Create an authorization processor in the Trust Framework. Authorization processors transform data returned from authorization attributes and services.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:authorizationRule",
"classifier": "authorizationRule",
"description": "Create an authorization rule. Authorization rules use conditions or in-line comparisons to define authorization policy logic.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:authorizationService",
"classifier": "authorizationService",
"description": "Create an authorization service in the Trust Framework. Authorization services connect to data sources used in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:authorizationStatement",
"classifier": "authorizationStatement",
"description": "Create an authorization statement. Authorization statements provide additional processing instructions in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:decisionendpoint",
"classifier": "decisionendpoint",
"description": "Create a decision endpoint, which provides an environment for authorization policy deployment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:entity",
"classifier": "entity",
"description": "Create an authorization service, attribute, condition, processor, policy set, policy, rule, statement, or target.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:delete:accessTokenProvider",
"classifier": "accessTokenProvider",
"description": "Delete access token providers. Providers for access tokens generated outside of PingOne are used in conjunction with API services in PingOne Authorize to control access to APIs.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:delete:adaptiveTrustPolicy",
"classifier": "adaptiveTrustPolicy",
"description": "Delete an adaptive access policy. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:adaptiveTrustPolicyAssignment",
"classifier": "adaptiveTrustPolicyAssignment",
"description": "Delete adaptive access policy assignments from an application. Policy assignments control which policies the application uses for adaptive access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:apiServer",
"classifier": "apiServer",
"description": "Delete an API service and its associated operations, decision endpoint, and policy tree.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:delete:authorizationAttribute",
"classifier": "authorizationAttribute",
"description": "Delete an authorization attribute from the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:authorizationCondition",
"classifier": "authorizationCondition",
"description": "Delete an authorization condition from the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:authorizationPolicy",
"classifier": "authorizationPolicy",
"description": "Delete an authorization policy. Authorization policies define the context and logic used to control access to application resources.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:authorizationProcessor",
"classifier": "authorizationProcessor",
"description": "Delete an authorization processor from the Trust Framework. Authorization processors transform data returned from authorization attributes and services.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:authorizationRule",
"classifier": "authorizationRule",
"description": "Delete an authorization rule. Authorization rules use conditions or in-line comparisons to define authorization policy logic.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:authorizationService",
"classifier": "authorizationService",
"description": "Delete an authorization service from the Trust Framework. Authorization services connect to data sources used in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:authorizationStatement",
"classifier": "authorizationStatement",
"description": "Delete an authorization statement. Authorization statements provide additional processing instructions in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:entity",
"classifier": "entity",
"description": "Delete an authorization service, attribute, condition, processor, policy set, policy, rule, statement, or target.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:tag",
"classifier": "tag",
"description": "Delete an authorization version name.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:deploy:apiServerDeployment",
"classifier": "apiServerDeployment",
"description": "Deploy API service configuration updates and policies to the API service's decision endpoint.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:accessTokenProvider",
"classifier": "accessTokenProvider",
"description": "Read details for access token providers. Providers for access tokens generated outside of PingOne are used in conjunction with API services in PingOne Authorize to control access to APIs.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:adaptiveTrustPolicy",
"classifier": "adaptiveTrustPolicy",
"description": "Read configuration details for adaptive access policies. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:adaptiveTrustPolicyAssignment",
"classifier": "adaptiveTrustPolicyAssignment",
"description": "Read adaptive access policy assignments for an application. Policy assignments control which policies the application uses for adaptive access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:apiServer",
"classifier": "apiServer",
"description": "Read details for an API service and its associated operations, including the name, base URLs, and directory and token source.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:apiServerDeployment",
"classifier": "apiServerDeployment",
"description": "Read an API service's deployment status.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationAttribute",
"classifier": "authorizationAttribute",
"description": "Read configuration details for authorization attributes in the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationCondition",
"classifier": "authorizationCondition",
"description": "Read configuration details for authorization conditions in the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationPolicy",
"classifier": "authorizationPolicy",
"description": "Read configuration details for authorization policies. Authorization policies define the context and logic used to control access to application resources.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationProcessor",
"classifier": "authorizationProcessor",
"description": "Read configuration details for authorization processors in the Trust Framework. Authorization processors transform data returned from authorization attributes and services.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationRule",
"classifier": "authorizationRule",
"description": "Read configuration details for authorization rules. Authorization rules use conditions or in-line comparisons to define authorization policy logic.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationService",
"classifier": "authorizationService",
"description": "Read configuration details for authorization services in the Trust Framework. Authorization services connect to data sources used in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationStatement",
"classifier": "authorizationStatement",
"description": "Read configuration details for authorization statements. Authorization statements provide additional processing instructions in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizeDeployment",
"classifier": "authorizeDeployment",
"description": "Read PingOne Authorize Gateway Deployment",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:decisionendpoint",
"classifier": "decisionendpoint",
"description": "Read details for a decision endpoint, including its name, description, policy version deployed, and whether recent decisions are recorded.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "authz:read:deploymentpackage",
"classifier": "deploymentpackage",
"description": "Read the deployment package of policies and Trust Framework definitions associated with a specific authorization version.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:entity",
"classifier": "entity",
"description": "Read details about an authorization service, attribute, condition, processor, policy set, policy, rule, statement, or target.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:recentdecisions",
"classifier": "recentdecisions",
"description": "Read details about the decision flow and elements used in recent decisions for a decision endpoint.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:tag",
"classifier": "tag",
"description": "Read an authorization version name.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:version",
"classifier": "version",
"description": "Read details about an authorization version, including the entity that changed, the date and time, and the user who made the change.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:test:authorizationAttribute",
"classifier": "authorizationAttribute",
"description": "Test an authorization attribute in the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:test:authorizationCondition",
"classifier": "authorizationCondition",
"description": "Test an authorization condition in the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:test:authorizationPolicy",
"classifier": "authorizationPolicy",
"description": "Test an authorization policy. Authorization policies define the context and logic used to control access to application resources.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:test:authorizationRule",
"classifier": "authorizationRule",
"description": "Test an authorization rule. Authorization rules use conditions or in-line comparisons to define authorization policy logic.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:test:authorizationService",
"classifier": "authorizationService",
"description": "Test an authorization service in the Trust Framework. Authorization services connect to data sources used in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:test:entity",
"classifier": "entity",
"description": "Test an authorization service, attribute, condition, policy set, policy, or library rule.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:accessTokenProvider",
"classifier": "accessTokenProvider",
"description": "Update access token providers. Providers for access tokens generated outside of PingOne are used in conjunction with API services in PingOne Authorize to control access to APIs.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:adaptiveTrustPolicy",
"classifier": "adaptiveTrustPolicy",
"description": "Update an adaptive access policy. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:apiServer",
"classifier": "apiServer",
"description": "Update details for an API service and its associated operations, including the name, base URLs, and basic rules.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:authorizationAttribute",
"classifier": "authorizationAttribute",
"description": "Update an authorization attribute in the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:authorizationCondition",
"classifier": "authorizationCondition",
"description": "Update an authorization condition in the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:authorizationPolicy",
"classifier": "authorizationPolicy",
"description": "Update an authorization policy. Authorization policies define the context and logic used to control access to application resources.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:authorizationProcessor",
"classifier": "authorizationProcessor",
"description": "Update an authorization processor in the Trust Framework. Authorization processors transform data returned from authorization attributes and services.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:authorizationRule",
"classifier": "authorizationRule",
"description": "Update an authorization rule. Authorization rules use conditions or in-line comparisons to define authorization policy logic.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:authorizationService",
"classifier": "authorizationService",
"description": "Update an authorization service in the Trust Framework. Authorization services connect to data sources used in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:authorizationStatement",
"classifier": "authorizationStatement",
"description": "Update an authorization statement. Authorization statements provide additional processing instructions in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:decisionendpoint",
"classifier": "decisionendpoint",
"description": "Update details for a decision endpoint, including its name, description, policy version deployed, and whether recent decisions are recorded.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:entity",
"classifier": "entity",
"description": "Update an authorization service, attribute, condition, processor, policy set, policy, rule, statement, or target.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:tag",
"classifier": "tag",
"description": "Create or update an authorization version name.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:create:customDomain",
"classifier": "customDomain",
"description": "Create a custom domain for the environment to personalize the user-facing PingOne service URLs.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:create:theme",
"classifier": "theme",
"description": "Create a theme to customize the colors and images used on your registration pages, sign-on pages, and verification pages for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:delete:branding",
"classifier": "branding",
"description": "Delete branding",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:delete:customDomain",
"classifier": "customDomain",
"description": "Delete a custom domain from the environment to stop using it in the user-facing PingOne service URLs.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:delete:theme",
"classifier": "theme",
"description": "Delete a theme from an environment. Themes dictate the customization of the colors and images used on the registration pages, sign-on pages, and verification pages for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:read:brandingSettings",
"classifier": "brandingSettings",
"description": "Read the company name and logo for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:read:customDomain",
"classifier": "customDomain",
"description": "Read the custom domain for the environment and see the corresponding custom service URLs. If enabled, custom domains replace pingone in the address bar.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:read:theme",
"classifier": "theme",
"description": "Read the themes available for an environment. Themes dictate the colors and images used on the registration pages, sign-on pages, and verification pages for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:update:branding",
"classifier": "branding",
"description": "Create and update branding",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:update:brandingSettings",
"classifier": "brandingSettings",
"description": "Update the company name and logo for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:update:customDomain",
"classifier": "customDomain",
"description": "Update the custom domain for the environment to renew the SSL certificate.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "branding:update:theme",
"classifier": "theme",
"description": "Update a theme in an environment. Themes dictate the colors and images used on the registration pages, sign-on pages, and verification pages for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "certmgt:create:certificate",
"classifier": "certificate",
"description": "Create a certificate. Certificates are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "certmgt:create:key",
"classifier": "key",
"description": "Create a new key pair. Key pairs are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "certmgt:create:krp",
"classifier": "krp",
"description": "Create a new key rotation policy in the environment. PingOne uses key rotation to automatically generate new cryptographic keys at a particular interval.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "certmgt:delete:certificate",
"classifier": "certificate",
"description": "Delete a certificate. Certificates are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "certmgt:delete:key",
"classifier": "key",
"description": "Delete a key pair. Key pairs are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "certmgt:delete:krp",
"classifier": "krp",
"description": "Delete a key rotation policy from the environment. PingOne uses key rotation to automatically generate new cryptographic keys at a particular interval.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "certmgt:read:certificate",
"classifier": "certificate",
"description": "Read the metadata for a certificate and export the certificate as an X509 certificate. Certificates are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "certmgt:read:key",
"classifier": "key",
"description": "Read the metadata for a key pair and download it as an X509 certificate. Key pairs are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "certmgt:read:krp",
"classifier": "krp",
"description": "Read a list of key rotation policies in the environment. PingOne uses key rotation to automatically generate new cryptographic keys at a particular interval.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "certmgt:update:certificate",
"classifier": "certificate",
"description": "Update a certificate. Updates include making a certificate default and reassigning a certificate to an application. Certificates are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "certmgt:update:key",
"classifier": "key",
"description": "Update a key pair. Updates include making a key pair default and reassigning a key pair to an application. Key pairs are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "certmgt:update:krp",
"classifier": "krp",
"description": "Update a key rotation policy in the environment. PingOne uses key rotation to automatically generate new cryptographic keys at a particular interval.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:create:credentialSigningKey",
"classifier": "credentialSigningKey",
"description": "Create a credential signing key for an environment. Credential signing keys sign a verifiable credential using a customer-provided service.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:create:credentialType",
"classifier": "credentialType",
"description": "Create a credential type for an environment. A credential type defines a template that is used when creating or updating a user credential.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:create:credentials",
"classifier": "credentials",
"description": "Create a credential. Credentials allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:create:digitalWallet",
"classifier": "digitalWallet",
"description": "Create a digital wallet for a user. A digital wallet links an instance of a digital wallet application to a user. ",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:create:digitalWalletApplication",
"classifier": "digitalWalletApplication",
"description": "Create a digital wallet application. A digital wallet application defines the relationship between a user's digital wallet and a customer's PingOne application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:create:issuanceRule",
"classifier": "issuanceRule",
"description": "Create an issuance rule for a credential type. Issuance rules are used to issue credentials to a specified group, population or SCIM filter.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:create:issuerProfile",
"classifier": "issuerProfile",
"description": "Create the environment profile used for issuing user credentials.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:delete:credentialSigningKey",
"classifier": "credentialSigningKey",
"description": "Delete a credential signing key for an environment. Credential signing keys sign a verifiable credential using a customer-provided service.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:delete:credentialType",
"classifier": "credentialType",
"description": "Delete a credential type for an environment. A credential type defines a template that is used when creating or updating a user credential.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:delete:credentials",
"classifier": "credentials",
"description": "Delete a credential. Credentials allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:delete:digitalWallet",
"classifier": "digitalWallet",
"description": "Delete a digital wallet for a user. A digital wallet links an instance of a digital wallet application to a user. ",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:delete:digitalWalletApplication",
"classifier": "digitalWalletApplication",
"description": "Delete a digital wallet application. A digital wallet application defines the relationship between a user's digital wallet and a customer's PingOne application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:delete:issuanceRule",
"classifier": "issuanceRule",
"description": "Delete an issuance rule for a credential type. Issuance rules are used to issue credentials to a specified group, population or SCIM filter.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:credentialSigningKey",
"classifier": "credentialSigningKey",
"description": "Read a credential signing key for an environment. Credential signing keys sign a verifiable credential using a customer-provided service.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:credentialType",
"classifier": "credentialType",
"description": "Read a credential type for an environment. A credential type defines a template that is used when creating or updating a user credential.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:credentials",
"classifier": "credentials",
"description": "Read a credential. Credentials allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation..",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:read:digitalWallet",
"classifier": "digitalWallet",
"description": "Read a digital wallet for a user. A digital wallet links an instance of a digital wallet application to a user. ",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:read:digitalWalletApplication",
"classifier": "digitalWalletApplication",
"description": "Read a digital wallet application. A digital wallet application defines the relationship between a user's digital wallet and a customer's PingOne application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:issuanceRule",
"classifier": "issuanceRule",
"description": "Read an issuance rule for a credential type. Issuance rules are used to issue credentials to a specified group, population or SCIM filter.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:issuerProfile",
"classifier": "issuerProfile",
"description": "Read the environment profile used for issuing user credentials.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:stagedChanges",
"classifier": "stagedChanges",
"description": "Read staged changes for an issuance rule. Staged changes show actions for an issuance rule that are staged for execution.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:update:credentialSigningKey",
"classifier": "credentialSigningKey",
"description": "Update a credential signing key for an environment. Credential signing keys sign a verifiable credential using a customer-provided service.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:update:credentialType",
"classifier": "credentialType",
"description": "Update a credential type for an environment. A credential type defines a template that is used when creating or updating a user credential.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:update:credentials",
"classifier": "credentials",
"description": "Update a credential. Credentials allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:update:digitalWallet",
"classifier": "digitalWallet",
"description": "Updated a digital wallet for a user. A digital wallet links an instance of a digital wallet application to a user. ",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:update:digitalWalletApplication",
"classifier": "digitalWalletApplication",
"description": "Update a digital wallet application. A digital wallet application defines the relationship between a user's digital wallet and a customer's PingOne application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:update:issuanceRule",
"classifier": "issuanceRule",
"description": "Update an issuance rule for a credential type. Issuance rules are used to issue credentials to a specified group, population or SCIM filter.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:update:issuerProfile",
"classifier": "issuerProfile",
"description": "Update the environment profile used for issuing user credentials.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:update:stagedChanges",
"classifier": "stagedChanges",
"description": "Update staged changes for an issuance rule. Allows for refreshing and applying of staged actions for an issuance rule.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsVerification:create:presentationSession",
"classifier": "presentationSession",
"description": "Create a Verification Session. Verification Sessions allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsVerification:delete:presentationSession",
"classifier": "presentationSession",
"description": "Delete a Verification Session. Verification Sessions allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsVerification:read:presentationSession",
"classifier": "presentationSession",
"description": "Read a Verification Session. Verification Sessions allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:create:passwordPolicy",
"classifier": "passwordPolicy",
"description": "Create a password policy for the environment. A password policy dictates the strength and complexity requirements for a password or passphrase.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:create:population",
"classifier": "population",
"description": "Create a population in the environment. A population defines a set of users, and a user can belong to one population only.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:delete:passwordPolicy",
"classifier": "passwordPolicy",
"description": "Delete a password policy from the environment. A password policy dictates the strength and complexity requirements for a password or passphrase.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:delete:population",
"classifier": "population",
"description": "Delete a population from the environment. A population defines a set of users, and a user can belong to one population only.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:delete:schema",
"classifier": "schema",
"description": "Delete a schema from the environment. A schema defines the user attributes in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:read:group",
"classifier": "group",
"description": "Read a group in the environment. Groups are used to organize a collection of user identities.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:groupSyncedRules",
"classifier": "groupSyncedRules",
"description": "get group's provisioning rule sync status",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:passwordPolicy",
"classifier": "passwordPolicy",
"description": "Read a list of password policies for the environment. A password policy dictates the strength and complexity requirements for a password or passphrase.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:read:population",
"classifier": "population",
"description": "Read a list of populations in the environment. A population defines a set of users, and a user can belong to one population only.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:schema",
"classifier": "schema",
"description": "Read the schema for the environment, including its attributes. A schema defines the user attributes in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:read:userSyncedStores",
"classifier": "userSyncedStores",
"description": "get user's target store sync status",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:update:passwordPolicy",
"classifier": "passwordPolicy",
"description": "Update a password policy for the environment. A password policy dictates the strength and complexity requirements for a password or passphrase.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:update:population",
"classifier": "population",
"description": "Update a population, including name and description, password policy, and population members. A population defines a set of users, and a user can belong to one population only.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:update:schema",
"classifier": "schema",
"description": "Update a schema, including creating, updating, and deleting attributes. A schema defines the user attributes in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "earlyAccess:read:features",
"classifier": "features",
"description": "Read the early access features applicable to an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "earlyAccess:update:features",
"classifier": "features",
"description": "Opt-in or opt-out of early access features available for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "enduseruiconfig:read:configs",
"classifier": "configs",
"description": "View the Self Service and Application Portal pages.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "externalServices:create:externalService",
"classifier": "externalService",
"description": "Create an external service",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "externalServices:delete:externalService",
"classifier": "externalService",
"description": "Delete an external service",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "externalServices:invoke:externalService",
"classifier": "externalService",
"description": "Invoke an external service request",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "externalServices:read:externalService",
"classifier": "externalService",
"description": "Read a external service(s)",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "externalServices:read:secrets",
"classifier": "secrets",
"description": "Read external service secrets",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "externalServices:update:externalService",
"classifier": "externalService",
"description": "Update an external service",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "externalServices:update:secrets",
"classifier": "secrets",
"description": "Update external service secrets",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "flowPolicies:read:flowPolicy",
"classifier": "flowPolicy",
"description": "Read all DaVinci policies that are configured for use with PingOne applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:create:form",
"classifier": "form",
"description": "Create a DaVinci form.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:delete:form",
"classifier": "form",
"description": "Delete a DaVinci form.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:delete:recaptchaV2Config",
"classifier": "recaptchaV2Config",
"description": "Delete the values for the Site Key and Secret Key fields of all Google reCAPTCHA verifications embedded in any DaVinci forms in a PingOne environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:read:form",
"classifier": "form",
"description": "Get a list of available DaVinci forms.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:read:recaptchaV2Config",
"classifier": "recaptchaV2Config",
"description": "Read the values for the Site Key and Secret Key fields of all Google reCAPTCHA verifications embedded in any DaVinci forms in a PingOne environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:update:form",
"classifier": "form",
"description": "Update an existing DaVinci form.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "formBuilder:update:recaptchaV2Config",
"classifier": "recaptchaV2Config",
"description": "Update the values for the Site Key and Secret Key fields of all Google reCAPTCHA verifications embedded in any DaVinci forms in a PingOne environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "gateways:create:gateway",
"classifier": "gateway",
"description": "Create a gateway to connect your on-premise infrastructure to PingOne and authenticate user identities and data stored in an internal or external directory.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "gateways:delete:gateway",
"classifier": "gateway",
"description": "Delete a gateway to remove the connection between your on-premise infrastructure and PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "gateways:read:gateway",
"classifier": "gateway",
"description": "Read the configuration details of all PingOne gateways. Gateways connect your on-premise infrastructure to PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "gateways:update:gateway",
"classifier": "gateway",
"description": "Update the settings for a PingOne gateway.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "identityProviders:create:identityProvider",
"classifier": "identityProvider",
"description": "Create an identity provider (IdP) resource. External IdP connections allow users to authenticate with PingOne using credentials provided by the IdP when configured as part of an authentication policy.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "identityProviders:delete:identityProvider",
"classifier": "identityProvider",
"description": "Delete an identity provider (IdP) resource. Users will no longer be able to use the external IdP connection to authenticate using credentials provided by the IdP.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "identityProviders:read:identityProvider",
"classifier": "identityProvider",
"description": "Read identity provider (IdP) resources. External IdP connections allow users to authenticate to PingOne using credentials provided by the external IdP.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "identityProviders:update:identityProvider",
"classifier": "identityProvider",
"description": "Update an identity provider (IdP) resource to change how users authenticate to PingOne using the credentials provided by the IdP.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "identitycloud:create:orchestration",
"classifier": "orchestration",
"description": "Create an Advanced Identity Cloud orchestration in a specific environment",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "identitycloud:update:orchestration",
"classifier": "orchestration",
"description": "Update an Advanced Identity Cloud orchestration in a specific environment",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "idverifications:create:dataBasedIdentityVerification",
"classifier": "dataBasedIdentityVerification",
"description": "Create data-based identity verification. Data-based identity verification runs matching and fraud analysis against user data and returns all personally identifiable information (PII) and a data match confidence score.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:create:document",
"classifier": "document",
"description": "Submit a user-submitted document. User-submitted documents are government issued identity documents, such as a driver license or passport, used for identity verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:create:identityRecordMatching",
"classifier": "identityRecordMatching",
"description": "Create Identity Record Matching. Identity Record Matching compares two sets of identity data and returns a score of confidence that the data match.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:create:verifyPolicy",
"classifier": "verifyPolicy",
"description": "Create a PingOne Verify policy.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:create:voicePhrase",
"classifier": "voicePhrase",
"description": "Create the template that defines the phrase the user speaks during voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:create:voicePhraseContent",
"classifier": "voicePhraseContent",
"description": "Create the phrase that the user speaks aloud for voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:delete:document",
"classifier": "document",
"description": "Delete a user-submitted document. User-submitted documents are government issued identity documents, such as a driver license or passport, used for identity verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:delete:verifyPolicy",
"classifier": "verifyPolicy",
"description": "Delete a PingOne Verify policy.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:delete:voicePhrase",
"classifier": "voicePhrase",
"description": "Delete the template that defines the phrase the user speaks during voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:delete:voicePhraseContent",
"classifier": "voicePhraseContent",
"description": "Delete the phrase that the user speaks aloud for voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:get:document",
"classifier": "document",
"description": "Read user-submitted documents. User-submitted documents are government issued identity documents, such as a driver license or passport, used for identity verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:read:verifyPolicy",
"classifier": "verifyPolicy",
"description": "Read a PingOne Verify policy.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:read:voicePhrase",
"classifier": "voicePhrase",
"description": "Read the template that defines the phrase the user speaks during voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:read:voicePhraseContent",
"classifier": "voicePhraseContent",
"description": "Read the phrase that the user speaks aloud for voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:update:document",
"classifier": "document",
"description": "Update a user-submitted document. User-submitted documents are government issued identity documents, such as a driver license or passport, used for identity verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:update:verifyPolicy",
"classifier": "verifyPolicy",
"description": "Update a PingOne Verify policy.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:update:voicePhrase",
"classifier": "voicePhrase",
"description": "Update the template that defines the phrase the user speaks during voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:update:voicePhraseContent",
"classifier": "voicePhraseContent",
"description": "Update the phrase that the user speaks aloud for voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "image:create:image",
"classifier": "image",
"description": "Upload an image to PingOne for an environment. The image can be used by other services within the environment, such as user profile.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "image:delete:image",
"classifier": "image",
"description": "Delete any image that has been uploaded to PingOne for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "image:read:image",
"classifier": "image",
"description": "View any image that has been uploaded to PingOne for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "integrations:read:integration",
"classifier": "integration",
"description": "Read a list of product integration kits, versions, and items in the application catalog.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "langmgt:create:language",
"classifier": "language",
"description": "Add a language to configure for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "langmgt:delete:language",
"classifier": "language",
"description": "Delete a language from an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "langmgt:read:language",
"classifier": "language",
"description": "Read a list of languages that are currently configured for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "langmgt:update:language",
"classifier": "language",
"description": "Enable or disable a language for an environment or set a language as the default.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "mfa:create:deviceAuthenticationPolicy",
"classifier": "deviceAuthenticationPolicy",
"description": "Create an MFA policy. MFA policies are used to define and configure the authentication methods used in your authentication policy.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:create:fidoDeviceMetadata",
"classifier": "fidoDeviceMetadata",
"description": "Create custom FIDO device metadata.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:create:fidoPolicy",
"classifier": "fidoPolicy",
"description": "Create a FIDO policy. FIDO policies define which FIDO devices and authenticators can be used for registration and authentication.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:create:oathToken",
"classifier": "oathToken",
"description": "Add an OATH token to the environment. After you add the OATH token, you can specify it as an authentication method for a specific user. Relevant only for environments that include PingID.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:delete:deviceAuthenticationPolicy",
"classifier": "deviceAuthenticationPolicy",
"description": "Delete an MFA policy. MFA policies are used to define and configure the authentication methods used in your authentication policy.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:delete:fidoDeviceMetadata",
"classifier": "fidoDeviceMetadata",
"description": "Delete custom FIDO device metadata.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:delete:fidoPolicy",
"classifier": "fidoPolicy",
"description": "Delete a FIDO policy. FIDO policies define which FIDO devices and authenticators can be used for registration and authentication.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:delete:mfaSettings",
"classifier": "mfaSettings",
"description": "Reset MFA settings.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:delete:oathToken",
"classifier": "oathToken",
"description": "Delete an OATH token from the environment. Relevant only for environments that include PingID.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:read:deviceAuthenticationPolicy",
"classifier": "deviceAuthenticationPolicy",
"description": "Read an MFA policy. MFA policies are used to define and configure the authentication methods used in your authentication policy.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:read:fidoDeviceMetadata",
"classifier": "fidoDeviceMetadata",
"description": "Read FIDO device metadata.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:read:fidoPolicy",
"classifier": "fidoPolicy",
"description": "Read a FIDO policy. FIDO policies define which FIDO devices and authenticators can be used for registration and authentication.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:read:mfaSettings",
"classifier": "mfaSettings",
"description": "Read MFA settings.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:read:oathJob",
"classifier": "oathJob",
"description": "Retrieve an OATH Job",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:read:oathToken",
"classifier": "oathToken",
"description": "Read an OATH token that has been added to the environment. Relevant only for environments that include PingID.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:update:deviceAuthenticationPolicy",
"classifier": "deviceAuthenticationPolicy",
"description": "Modify an existing MFA policyUpdate an MFA policy. MFA policies are used to define and configure the authentication methods used in your authentication policy.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:update:fidoPolicy",
"classifier": "fidoPolicy",
"description": "Update a FIDO policy. FIDO policies define which FIDO devices and authenticators can be used for registration and authentication.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:update:mfaSettings",
"classifier": "mfaSettings",
"description": "Update MFA settings.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:update:oathToken",
"classifier": "oathToken",
"description": "Resync an OATH token that has been added to the environment. Relevant only for environments that include PingID.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:create:emailDomain",
"classifier": "emailDomain",
"description": "Create an email domain. Email domains are used for sending out email notifications to your users.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:create:notification",
"classifier": "notification",
"description": "Send an event notification to a user.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:create:notificationsPolicy",
"classifier": "notificationsPolicy",
"description": "Create a notification policy. Notification policies are used to limit the number of SMS/voice or email notifications that can be sent per day.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:create:templateContent",
"classifier": "templateContent",
"description": "Create content for a notification template. Notification templates are used to inform users about some event types in PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:delete:emailDomain",
"classifier": "emailDomain",
"description": "Delete an email domain. Email domains are used for sending out email notifications to your users.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:delete:notificationsPolicy",
"classifier": "notificationsPolicy",
"description": "Delete a notification policyDelete a notification policy. Notification policies are used to limit the number of SMS/voice or email notifications that can be sent per day.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:delete:notificationsSettings",
"classifier": "notificationsSettings",
"description": "Reset fallback order for SMS/Voice providers and reset 'from' and 'reply to' fields for email notifications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:delete:templateContent",
"classifier": "templateContent",
"description": "Delete the content of a notification template. Notification templates are used to inform users about some event types in PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:read:emailDomain",
"classifier": "emailDomain",
"description": "Read the email domains. Email domains are used for sending out email notifications to your users.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:read:notificationsPolicy",
"classifier": "notificationsPolicy",
"description": "Read notification policies. Notification policies are used to limit the number of SMS/voice or email notifications that can be sent per day.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:read:notificationsSettings",
"classifier": "notificationsSettings",
"description": "Read fallback order for SMS/Voice providers and 'from' and 'reply to' fields for email notifications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:read:quota",
"classifier": "quota",
"description": "Read the daily notification quota set in notification policy.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:read:template",
"classifier": "template",
"description": "Read a notification template. Notification templates are used to inform users about certain events in PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:read:templateContent",
"classifier": "templateContent",
"description": "Read the content of a notification template. Notification templates are used to inform users about some event types in PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:update:emailDomain",
"classifier": "emailDomain",
"description": "Update an email domain. Email domains are used for sending out email notifications to your users.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:update:notificationsPolicy",
"classifier": "notificationsPolicy",
"description": "Update a notification policy. Notification policies are used to limit the number of SMS/voice or email notifications that can be sent per day.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:update:notificationsSettings",
"classifier": "notificationsSettings",
"description": "Update fallback order for SMS/Voice providers and reset 'from' and 'reply to' fields for email notifications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "notifications:update:templateContent",
"classifier": "templateContent",
"description": "Update content for a notification template. Notification templates are used to inform users about some event types in PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "orgmgt:create:deployment",
"classifier": "deployment",
"description": "Create deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "orgmgt:promote:environment",
"classifier": "environment",
"description": "Promote an environment from sandbox to production. A sandbox environment is used to test functionality before deploying to production.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:update:environment",
"classifier": "environment",
"description": "Update environment properties to add or remove services, change the environment name or description, or update license information. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "osmosis:check:connection",
"classifier": "connection",
"description": "Test the provisioning connection to an external identity provider before saving the configuration.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:create:revision",
"classifier": "revision",
"description": "Create a provisioning configuration. A provisioning configuration includes the provisioning connection and provisioning rule.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:delete:mapping",
"classifier": "mapping",
"description": "Delete an attribute mapping for a provisioning rule. Attribute mapping defines how attributes from an external identity store correspond to attributes in PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:delete:plan",
"classifier": "plan",
"description": "Delete a provisioning plan. A provisioning plan is a list of all the provisioning rules in an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:delete:rule",
"classifier": "rule",
"description": "Delete a provisioning rule. A provisioning rule defines which users are provisioned and how attributes are mapped between PingOne and the external identity store.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:delete:store",
"classifier": "store",
"description": "Delete a provisioning connection. A provisioning connection includes authorization information for the connection type and configuration options, such as provisioning and deprovisioning actions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:get:revision",
"classifier": "revision",
"description": "Read a provisioning configuration. A provisioning configuration includes the provisioning connection and provisioning rule.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:read:mapping",
"classifier": "mapping",
"description": "Read the attribute mapping for a provisioning rule. Attribute mapping defines how attributes from an external identity store correspond to attributes in PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:read:plan",
"classifier": "plan",
"description": "Read a provisioning plan. A provisioning plan is a list of all the provisioning rules in an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:read:rule",
"classifier": "rule",
"description": "Read a provisioning rule. A provisioning rule defines which users are provisioned and how attributes are mapped between PingOne and the external identity store.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:read:store",
"classifier": "store",
"description": "Read a provisioning connection. A provisioning connection includes authorization information for the connection type and configuration options, such as provisioning and deprovisioning actions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:update:mapping",
"classifier": "mapping",
"description": "Update the attribute mapping for a provisioning rule. Attribute mapping defines how attributes from an external identity store correspond to attributes in PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:update:plan",
"classifier": "plan",
"description": "Update a provisioning plan. A provisioning plan is a list of all the provisioning rules in an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:update:rule",
"classifier": "rule",
"description": "Update a provisioning rule. A provisioning rule defines which users are provisioned and how attributes are mapped between PingOne and the external identity store.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "osmosis:update:store",
"classifier": "store",
"description": "Update a provisioning connection. A provisioning connection includes authorization information for the connection type and configuration options, such as provisioning and deprovisioning actions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "permissions:delete:gatewayRoleAssignments",
"classifier": "gatewayRoleAssignments",
"description": "Remove roles and the associated permissions associated with a gateway scope. The gateway scope defines the attributes that can be accessed in the external LDAP directory.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "permissions:read:applicationRoleAssignments",
"classifier": "applicationRoleAssignments",
"description": "Read admin roles that are assigned to an application scope, including the role permissions. Roles are used by worker applications only.",
"applicableTo": [
"ENVIRONMENT",
"APPLICATION"
]
},
{
"id": "permissions:read:gatewayRoleAssignments",
"classifier": "gatewayRoleAssignments",
"description": "Read the list of roles and the associated permissions associated with a gateway scope. The gateway scope defines the attributes that can be accessed in the external LDAP directory.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "permissions:read:roles",
"classifier": "roles",
"description": "Read a list of custom roles for the environment.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "permissions:read:userRoleAssignments",
"classifier": "userRoleAssignments",
"description": "Read admin roles that are assigned to a user, including the role permissions.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "permissions:update:applicationRoleAssignments",
"classifier": "applicationRoleAssignments",
"description": "Assign or revoke admin roles for an application scope. Roles are used by worker applications only.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "permissions:update:gatewayRoleAssignments",
"classifier": "gatewayRoleAssignments",
"description": "Add roles and the associated permissions associated with a gateway scope. The gateway scope defines the attributes that can be accessed in the external LDAP directory.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "pingenterprise:read:orchestration",
"classifier": "orchestration",
"description": "Retrieve Orchestration flow for Ping Enterprise deployment",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "pingenterprise:update:orchestration",
"classifier": "orchestration",
"description": "Updates Orchestration flow for Ping Enterprise deployment",
"applicableTo": [
"ORGANIZATION",
"PLATFORM"
]
},
{
"id": "pingid:execute:migration",
"classifier": "migration",
"description": "Start an integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:validate:migration",
"classifier": "migration",
"description": "Validate resources such as PingID authentication policies before integrating PingID with PingOne.",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "pingintelligence:read:orchestration",
"classifier": "orchestration",
"description": "Retrieve Orchestration flow for Ping Intelligence deployment",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "pingintelligence:update:orchestration",
"classifier": "orchestration",
"description": "Updates Orchestration flow for Ping Intelligence deployment",
"applicableTo": [
"ORGANIZATION",
"PLATFORM"
]
},
{
"id": "promotion:create:promotion",
"classifier": "promotion",
"description": "Start the promotion of configuration details from one environment to another. This permission is required in the source environment and 'Execute promotion' is required in the target environment.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:create:promotionVariable",
"classifier": "promotionVariable",
"description": "Create environment promotion variables. Promotion variables are used to define attributes that must have different values in different environments.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:create:snapshot",
"classifier": "snapshot",
"description": "Create snapshots of environment resources. A snapshot is a record of the configuration for the asset at a specific point in time.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:delete:promotion",
"classifier": "promotion",
"description": "Cancel an in-progress environment promotion. Environment promotions are the transfer of configuration details from one environment to another.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:delete:promotionVariable",
"classifier": "promotionVariable",
"description": "Delete environment promotion variables. Promotion variables are used to define attributes that must have different values in different environments.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:delete:snapshot",
"classifier": "snapshot",
"description": "Delete snapshots of environment resources. A snapshot is a record of the configuration for the resource at a specific point in time.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:execute:promotion",
"classifier": "promotion",
"description": "Promote the environment resource configuration from one environment to another. This permission is required in the target environment and 'Create promotion' is required in the source environment.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:read:promotion",
"classifier": "promotion",
"description": "Read environment promotion details, such as which environment resources were promoted from one environment to another.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:read:promotionConfiguration",
"classifier": "promotionConfiguration",
"description": "Read environment-specific configuration data for promotion. Environment promotion ensures the smooth transition of configuration data between environments.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:read:promotionVariable",
"classifier": "promotionVariable",
"description": "Read environment promotion variables. Promotion variables are used to define attributes that must have different values in different environments.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:read:snapshot",
"classifier": "snapshot",
"description": "Read snapshots of environment resources. A snapshot is a record of the configuration for the resource at a specific point in time.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:update:promotionConfiguration",
"classifier": "promotionConfiguration",
"description": "Create or update environment-specific configuration data for promotion. Environment promotion ensures the smooth transition of configuration data between environments.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:update:promotionVariable",
"classifier": "promotionVariable",
"description": "Update the values of promotion variables. Promotion variables are used to define attributes that must have different values in different environments.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "promotion:update:snapshot",
"classifier": "snapshot",
"description": "Update snapshots of environment resources. A snapshot is a record of the configuration for the resource at a specific point in time.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "provisioning:create:provisioningSyncOrchestration",
"classifier": "provisioningSyncOrchestration",
"description": "Create a provisioning sync orchestration for an environment. Sync orchestration is required by the PingOne gateway to provision users inbound into PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "provisioning:get:connectionSensitiveConfiguration",
"classifier": "connectionSensitiveConfiguration",
"description": "Read the authentication details, which can include sensitive information, for a provisioning configuration. A provisioning configuration includes the provisioning connection and provisioning rule.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "provisioning:update:provisioningSyncOrchestration",
"classifier": "provisioningSyncOrchestration",
"description": "Update a provisioning sync orchestration to allow a gateway to provision users to a PingOne environment. Sync orchestration is required by the PingOne gateway to provision users inbound into PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:create:attribute",
"classifier": "attribute",
"description": "Create an attribute for a custom resource. Custom resource attributes are mapped as claims in access tokens to convey additional information about their use to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:create:resource",
"classifier": "resource",
"description": "Create a resource. Resources are protected endpoints that applications can access using OAuth 2 authorization services.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:create:scope",
"classifier": "scope",
"description": "Create a scope for a resource. Resource scopes can be associated with applications and define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:delete:attribute",
"classifier": "attribute",
"description": "Delete a custom attribute from a resource. Custom resource attributes are mapped as claims in access tokens to convey additional information about their use to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:delete:resource",
"classifier": "resource",
"description": "Delete a resource. Resources are protected endpoints that applications can access using OAuth 2 authorization services.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:delete:scope",
"classifier": "scope",
"description": "Delete a scope from a resource. Resource scopes can be associated with applications and define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:delete:secret",
"classifier": "secret",
"description": "Revoke the previous client secret for an application resource before it expires. Client secrets are used to authenticate a resource with PingOne and can be revoked when a new secret is generated.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "resources:read:attribute",
"classifier": "attribute",
"description": "Read a list of custom attributes for a resource. Custom resource attributes are mapped as claims in access tokens to convey additional information about their use to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:read:resource",
"classifier": "resource",
"description": "Read the resources in the environment. Resources are protected endpoints that applications can access using OAuth 2 authorization services.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:read:scope",
"classifier": "scope",
"description": "Read the scope for a resource. Resource scopes can be associated with applications and define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:read:secret",
"classifier": "secret",
"description": "Read the client secret for a resource. Client secrets are used to authenticate a resource with PingOne.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "resources:update:attribute",
"classifier": "attribute",
"description": "Update an attribute for a custom resource. Custom resource attributes are mapped as claims in access tokens to convey additional information about their use to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:update:resource",
"classifier": "resource",
"description": "Update the configuration of a resource. Resources are the protected endpoints that applications can access using OAuth 2 authorization services.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:update:scope",
"classifier": "scope",
"description": "Update the scope for a resource. Resource scopes can be associated with applications and define application access to user details, such as name and email address.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "resources:update:secret",
"classifier": "secret",
"description": "Create a new client secret for a resource. Client secrets are used to authenticate a resource with PingOne.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "risk:create:feedback",
"classifier": "feedback",
"description": "Create risk feedback",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:create:policy",
"classifier": "policy",
"description": "Create a risk policy for use in risk evaluations.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:create:predictor",
"classifier": "predictor",
"description": "Create a risk predictor for use in risk policies.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:delete:policy",
"classifier": "policy",
"description": "Delete a risk policy. Risk policies are used in risk evaluations.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:delete:predictor",
"classifier": "predictor",
"description": "Delete a risk predictor. Risk predictors are used in risk policies.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:read:policy",
"classifier": "policy",
"description": "Read risk policies, which are used in risk evaluations.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:read:predictor",
"classifier": "predictor",
"description": "Read risk predictors, which are used in risk policies.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:update:policy",
"classifier": "policy",
"description": "Modify an existing risk policy. Risk policies are used in risk evaluations.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:update:predictor",
"classifier": "predictor",
"description": "Modify an existing risk predictor for use in risk policies.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "solutions:create:config",
"classifier": "config",
"description": "Create new or reset an existing configuration for the customer or workforce Getting Started experience to assign default flows for registration, authentication, profile management, and account recovery.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "solutions:read:config",
"classifier": "config",
"description": "Read the configuration data for the CIAM or workforce Getting Started experiences, such as the flows used for registration, authentication, profile management, and account recovery.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "solutions:read:flow",
"classifier": "flow",
"description": "Read the list of flows available as part of the getting started experience in the admin console.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "solutions:read:token",
"classifier": "token",
"description": "Retrieve a DaVinci access token.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "solutions:update:config",
"classifier": "config",
"description": "Update the configuration of the customer or workforce Getting Started experience to use different flows for registration, authentication, profile management, or account recovery.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "subscriptions:create:subscription",
"classifier": "subscription",
"description": "Create a webhook to send event information to an external monitoring system.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "subscriptions:delete:subscription",
"classifier": "subscription",
"description": "Delete a webhook to stop sending event information to your external monitoring system.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "subscriptions:read:subscription",
"classifier": "subscription",
"description": "Read webhook information. Webhooks are used to subscribe to events of interest in PingOne and push the event information to an external monitoring system.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "subscriptions:update:subscription",
"classifier": "subscription",
"description": "Update the properties or filters for a webhook to change the information that is sent to your external monitoring system.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "visualization:create:exploration",
"classifier": "exploration",
"description": "Create a data exploration object for use with dashboards and report generation.",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:authentication",
"classifier": "authentication",
"description": "View the Authentication dashboard. The Authentication dashboard shows a summary of sign-on activity through PingOne and additional authentication metrics for the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "visualization:read:dashboard",
"classifier": "dashboard",
"description": "See dashboards",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:exploration",
"classifier": "exploration",
"description": "Read the data for a data exploration object. Data exploration objects are used with dashboards and report generation.",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:template",
"classifier": "template",
"description": "Read data exploration template",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:userDemographics",
"classifier": "userDemographics",
"description": "Read the User Demographics dashboard and user demographic data. User demographic data provides information on the distribution of users by population and operating system and browser usage by service.",
"applicableTo": [
"ENVIRONMENT"
]
}
],
"canAssign": [
{
"id": "7aba580c-5ec7-4b26-987d-85f462767455"
},
{
"id": "b4766c28-4c05-4bf8-a285-312217341d03"
},
{
"id": "da1f99b8-148c-11ee-be56-0242ac120002"
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/0bd6b966-7664-4ac1-b059-0ff9293908e2"
}
},
"id": "0bd6b966-7664-4ac1-b059-0ff9293908e2",
"name": "Help Desk Admin",
"description": "A role for managing user MFA methods and devices and resolving account lockouts. The permissions for this role enable the administrator to add or update MFA methods and devices configured in the user record and to reset passwords to help end users successfully authenticate with PingOne.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"permissions": [
{
"id": "applicationRoles:read:applicationEntitlement",
"classifier": "applicationEntitlement",
"description": "Query a user's entitled application permissions, which control the actions the user can take in applications and APIs. Application permissions are defined on resources and assigned through application roles.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationPermission",
"classifier": "applicationPermission",
"description": "List application permissions and read permission details, including permission descriptions, actions, and resources.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationResource",
"classifier": "applicationResource",
"description": "List application resources and read resource details, including resource names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRole",
"classifier": "applicationRole",
"description": "List application roles and read role details, including role names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRoleAssignment",
"classifier": "applicationRoleAssignment",
"description": "Read application roles that are assigned to a user, including the role permissions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRoleEntry",
"classifier": "applicationRoleEntry",
"description": "List permissions for an application role.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authn:read:sessions",
"classifier": "sessions",
"description": "Read all sessions for a particular user.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:group",
"classifier": "group",
"description": "Read a group in the environment. Groups are used to organize a collection of user identities.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:groupMembership",
"classifier": "groupMembership",
"description": "Read the group membership for a user.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:population",
"classifier": "population",
"description": "Read a list of populations in the environment. A population defines a set of users, and a user can belong to one population only.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:schema",
"classifier": "schema",
"description": "Read the schema for the environment, including its attributes. A schema defines the user attributes in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:read:user",
"classifier": "user",
"description": "Read a list of users in the environment.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:userLinkedAccounts",
"classifier": "userLinkedAccounts",
"description": "Read accounts linked to a user. A linked account is tied to a third-party identity provider for authentication.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:recover:userPassword",
"classifier": "userPassword",
"description": "Reset a user's password using a recovery code. Send a recovery code.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "dir:reset:userPassword",
"classifier": "userPassword",
"description": "Reset a user's password without requiring a recovery code.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "dir:set:userPassword",
"classifier": "userPassword",
"description": "Set a user's clear text or pre-encoded password and set a user's password authority.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "dir:unlock:userPassword",
"classifier": "userPassword",
"description": "Unlock a user's password. The password state is PASSWORD_LOCKED_OUT.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "dir:update:userMfaEnabled",
"classifier": "userMfaEnabled",
"description": "Update the mfaEnabled status for a user. Specify whether MFA should be enabled for a user.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:verify:user",
"classifier": "user",
"description": "Verify a user using a verification code. Send verification codes. Verify a user's email address and send a verification email.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "image:read:image",
"classifier": "image",
"description": "View any image that has been uploaded to PingOne for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "mfa:authenticate:device",
"classifier": "device",
"description": "Initiate device authentication.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:create:device",
"classifier": "device",
"description": "Create an MFA device.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "mfa:delete:device",
"classifier": "device",
"description": "Delete an MFA device.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "mfa:read:device",
"classifier": "device",
"description": "Read MFA devices.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "mfa:update:device",
"classifier": "device",
"description": "Update an MFA device.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "permissions:read:userRoleAssignments",
"classifier": "userRoleAssignments",
"description": "Read admin roles that are assigned to a user, including the role permissions.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "pingid:read:activity",
"classifier": "activity",
"description": "Read PingID user last activity",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "radiusGateway:read:session",
"classifier": "session",
"description": "Read radius session details for audit purposes",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "scim:read:schema",
"classifier": "schema",
"description": "Read the schema for the environment, including its attributes, using the SCIM API. A schema defines the user attributes in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/0bd9c966-7664-4ac1-b059-0ff9293908e2"
}
},
"id": "0bd9c966-7664-4ac1-b059-0ff9293908e2",
"name": "Identity Data Admin",
"description": "A role for managing identities and identity data. The permissions for an identity data administrator are centered around managing user identities, and include functions like creating users and resetting a user's password.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"permissions": [
{
"id": "admin:read:config",
"classifier": "config",
"description": "Read the administrator security settings used for accessing the admin console.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "agreements:create:oauthConsent",
"classifier": "oauthConsent",
"description": "Create a record of the user's consent to share their information with an OAuth application during an authentication flow.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "agreements:create:userConsent",
"classifier": "userConsent",
"description": "Consent to an agreement on behalf of a particular user.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "agreements:delete:userConsent",
"classifier": "userConsent",
"description": "Delete consent to an agreement on behalf of a particular user.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "agreements:read:oauthConsent",
"classifier": "oauthConsent",
"description": "Read the OAuth consent history for a user.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "agreements:read:userConsent",
"classifier": "userConsent",
"description": "Read the consent history for a user, including agreement names, language, and date of consent.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "agreements:update:oauthConsent",
"classifier": "oauthConsent",
"description": "Update the recorded date for the user's consent to an OAuth application request for personal information during an authentication flow.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "agreements:update:userConsent",
"classifier": "userConsent",
"description": "Require a user to re-consent to an agreement when the agreement has been updated.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:create:applicationPermission",
"classifier": "applicationPermission",
"description": "Create permissions that represent actions that can be taken on resources in external applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:create:applicationResource",
"classifier": "applicationResource",
"description": "Create resources that represent protected features in external applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:create:applicationRole",
"classifier": "applicationRole",
"description": "Create roles that group permissions for external applications by function.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:create:applicationRoleAssignment",
"classifier": "applicationRoleAssignment",
"description": "Assign application roles to users to grant the associated permissions for actions in external applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:create:applicationRoleEntry",
"classifier": "applicationRoleEntry",
"description": "Add permissions for external applications to application roles.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:delete:applicationPermission",
"classifier": "applicationPermission",
"description": "Delete application permissions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:delete:applicationResource",
"classifier": "applicationResource",
"description": "Delete application resources.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:delete:applicationRole",
"classifier": "applicationRole",
"description": "Delete application roles.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:delete:applicationRoleAssignment",
"classifier": "applicationRoleAssignment",
"description": "Remove application role assignments from users to revoke the associated permissions for actions in external applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:delete:applicationRoleEntry",
"classifier": "applicationRoleEntry",
"description": "Delete permissions from application roles.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationEntitlement",
"classifier": "applicationEntitlement",
"description": "Query a user's entitled application permissions, which control the actions the user can take in applications and APIs. Application permissions are defined on resources and assigned through application roles.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationPermission",
"classifier": "applicationPermission",
"description": "List application permissions and read permission details, including permission descriptions, actions, and resources.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationResource",
"classifier": "applicationResource",
"description": "List application resources and read resource details, including resource names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRole",
"classifier": "applicationRole",
"description": "List application roles and read role details, including role names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRoleAssignment",
"classifier": "applicationRoleAssignment",
"description": "Read application roles that are assigned to a user, including the role permissions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRoleEntry",
"classifier": "applicationRoleEntry",
"description": "List permissions for an application role.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:update:applicationPermission",
"classifier": "applicationPermission",
"description": "Update details for application permissions, including permission actions and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:update:applicationResource",
"classifier": "applicationResource",
"description": "Update details for application resources, including resource names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:update:applicationRole",
"classifier": "applicationRole",
"description": "Update details for application roles, including role names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "audit_reporting:read:activity",
"classifier": "activity",
"description": "Access to the audit report and event content including PII.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authn:create:sessions",
"classifier": "sessions",
"description": "Create a session for a user when they complete authentication during sign-on.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "authn:delete:sessions",
"classifier": "sessions",
"description": "Delete a recent user session to sign the user out of PingOne. For example, you can delete a session if you detect suspicious activity.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "authn:read:sessions",
"classifier": "sessions",
"description": "Read all sessions for a particular user.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "authn:update:sessions",
"classifier": "sessions",
"description": "Update a user session when the authentication process or API request has a valid session ID cookie.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "certmgt:read:certificate",
"classifier": "certificate",
"description": "Read the metadata for a certificate and export the certificate as an X509 certificate. Certificates are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:create:credentialSigningKey",
"classifier": "credentialSigningKey",
"description": "Create a credential signing key for an environment. Credential signing keys sign a verifiable credential using a customer-provided service.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:create:credentialType",
"classifier": "credentialType",
"description": "Create a credential type for an environment. A credential type defines a template that is used when creating or updating a user credential.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:create:credentials",
"classifier": "credentials",
"description": "Create a credential. Credentials allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:create:digitalWallet",
"classifier": "digitalWallet",
"description": "Create a digital wallet for a user. A digital wallet links an instance of a digital wallet application to a user. ",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:create:digitalWalletApplication",
"classifier": "digitalWalletApplication",
"description": "Create a digital wallet application. A digital wallet application defines the relationship between a user's digital wallet and a customer's PingOne application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:create:issuanceRule",
"classifier": "issuanceRule",
"description": "Create an issuance rule for a credential type. Issuance rules are used to issue credentials to a specified group, population or SCIM filter.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:create:issuerProfile",
"classifier": "issuerProfile",
"description": "Create the environment profile used for issuing user credentials.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:delete:credentialSigningKey",
"classifier": "credentialSigningKey",
"description": "Delete a credential signing key for an environment. Credential signing keys sign a verifiable credential using a customer-provided service.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:delete:credentialType",
"classifier": "credentialType",
"description": "Delete a credential type for an environment. A credential type defines a template that is used when creating or updating a user credential.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:delete:credentials",
"classifier": "credentials",
"description": "Delete a credential. Credentials allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:delete:digitalWallet",
"classifier": "digitalWallet",
"description": "Delete a digital wallet for a user. A digital wallet links an instance of a digital wallet application to a user. ",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:delete:digitalWalletApplication",
"classifier": "digitalWalletApplication",
"description": "Delete a digital wallet application. A digital wallet application defines the relationship between a user's digital wallet and a customer's PingOne application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:delete:issuanceRule",
"classifier": "issuanceRule",
"description": "Delete an issuance rule for a credential type. Issuance rules are used to issue credentials to a specified group, population or SCIM filter.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:credentialSigningKey",
"classifier": "credentialSigningKey",
"description": "Read a credential signing key for an environment. Credential signing keys sign a verifiable credential using a customer-provided service.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:credentialType",
"classifier": "credentialType",
"description": "Read a credential type for an environment. A credential type defines a template that is used when creating or updating a user credential.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:credentials",
"classifier": "credentials",
"description": "Read a credential. Credentials allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation..",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:read:digitalWallet",
"classifier": "digitalWallet",
"description": "Read a digital wallet for a user. A digital wallet links an instance of a digital wallet application to a user. ",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:read:digitalWalletApplication",
"classifier": "digitalWalletApplication",
"description": "Read a digital wallet application. A digital wallet application defines the relationship between a user's digital wallet and a customer's PingOne application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:issuanceRule",
"classifier": "issuanceRule",
"description": "Read an issuance rule for a credential type. Issuance rules are used to issue credentials to a specified group, population or SCIM filter.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:issuerProfile",
"classifier": "issuerProfile",
"description": "Read the environment profile used for issuing user credentials.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:stagedChanges",
"classifier": "stagedChanges",
"description": "Read staged changes for an issuance rule. Staged changes show actions for an issuance rule that are staged for execution.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:update:credentialSigningKey",
"classifier": "credentialSigningKey",
"description": "Update a credential signing key for an environment. Credential signing keys sign a verifiable credential using a customer-provided service.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:update:credentialType",
"classifier": "credentialType",
"description": "Update a credential type for an environment. A credential type defines a template that is used when creating or updating a user credential.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:update:credentials",
"classifier": "credentials",
"description": "Update a credential. Credentials allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:update:digitalWallet",
"classifier": "digitalWallet",
"description": "Updated a digital wallet for a user. A digital wallet links an instance of a digital wallet application to a user. ",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:update:digitalWalletApplication",
"classifier": "digitalWalletApplication",
"description": "Update a digital wallet application. A digital wallet application defines the relationship between a user's digital wallet and a customer's PingOne application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:update:issuanceRule",
"classifier": "issuanceRule",
"description": "Update an issuance rule for a credential type. Issuance rules are used to issue credentials to a specified group, population or SCIM filter.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:update:issuerProfile",
"classifier": "issuerProfile",
"description": "Update the environment profile used for issuing user credentials.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:update:stagedChanges",
"classifier": "stagedChanges",
"description": "Update staged changes for an issuance rule. Allows for refreshing and applying of staged actions for an issuance rule.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsVerification:create:presentationSession",
"classifier": "presentationSession",
"description": "Create a Verification Session. Verification Sessions allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsVerification:delete:presentationSession",
"classifier": "presentationSession",
"description": "Delete a Verification Session. Verification Sessions allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsVerification:read:presentationSession",
"classifier": "presentationSession",
"description": "Read a Verification Session. Verification Sessions allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "devices:create:seenDevice",
"classifier": "seenDevice",
"description": "Create/Update accessing device",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "devices:create:userSeenDevice",
"classifier": "userSeenDevice",
"description": "Create user association with accessing device",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "devices:delete:seenDevice",
"classifier": "seenDevice",
"description": "Delete accessing device",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "devices:delete:userSeenDevice",
"classifier": "userSeenDevice",
"description": "Delete user association with accessing device",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "devices:read:seenDevice",
"classifier": "seenDevice",
"description": "Read accessing device",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "devices:read:userSeenDevice",
"classifier": "userSeenDevice",
"description": "Read user association with accessing device",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "devices:update:seenDevice",
"classifier": "seenDevice",
"description": "Update accessing device",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "devices:update:userSeenDevice",
"classifier": "userSeenDevice",
"description": "Update user association with accessing device",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:create:batchGroupMembership",
"classifier": "batchGroupMembership",
"description": "Create group memberships by batch for a user using the user ID and group IDs. Groups are used to organize a collection of user identities.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:create:group",
"classifier": "group",
"description": "Create a group in the environment. Groups are used to organize a collection of user identities.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:create:groupMembership",
"classifier": "groupMembership",
"description": "Add a user to a group manually, rather than dynamically.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:create:user",
"classifier": "user",
"description": "Create a user in the environment.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:create:userLinkedAccounts",
"classifier": "userLinkedAccounts",
"description": "Create a linked account for a user. A linked account is tied to a third-party identity provider for authentication.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:delete:batchGroupMembership",
"classifier": "batchGroupMembership",
"description": "Delete group memberships by batch for a user using the user ID and group IDs. Groups are used to organize a collection of user identities.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:delete:group",
"classifier": "group",
"description": "Delete a group from the environment. Groups are used to organize a collection of user identities.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:delete:groupMembership",
"classifier": "groupMembership",
"description": "Delete a user or subgroup from a group.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:delete:user",
"classifier": "user",
"description": "Delete a user from the environment.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:delete:userLinkedAccounts",
"classifier": "userLinkedAccounts",
"description": "Delete a linked account for a user. A linked account is tied to a third-party identity provider for authentication.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:forceChange:userPassword",
"classifier": "userPassword",
"description": "Force a user to change their password the next time they sign on. The password state is MUST_CHANGE_PASSWORD.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "dir:import:user",
"classifier": "user",
"description": "Import users into the PingOne Directory. Imported users can include a password value.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:invite:user",
"classifier": "user",
"description": "Invite users",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:lock:userAccount",
"classifier": "userAccount",
"description": "(Probably best not to document publicly)",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:group",
"classifier": "group",
"description": "Read a group in the environment. Groups are used to organize a collection of user identities.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:groupMembership",
"classifier": "groupMembership",
"description": "Read the group membership for a user.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:groupSyncedRules",
"classifier": "groupSyncedRules",
"description": "get group's provisioning rule sync status",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:passwordPolicy",
"classifier": "passwordPolicy",
"description": "Read a list of password policies for the environment. A password policy dictates the strength and complexity requirements for a password or passphrase.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:read:population",
"classifier": "population",
"description": "Read a list of populations in the environment. A population defines a set of users, and a user can belong to one population only.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:schema",
"classifier": "schema",
"description": "Read the schema for the environment, including its attributes. A schema defines the user attributes in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:read:user",
"classifier": "user",
"description": "Read a list of users in the environment.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:userLinkedAccounts",
"classifier": "userLinkedAccounts",
"description": "Read accounts linked to a user. A linked account is tied to a third-party identity provider for authentication.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:userPassword",
"classifier": "userPassword",
"description": "Read a user's password state. The password state values can include OK, PASSWORD_LOCKED_OUT, and PASSWORD_EXPIRED.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:userSyncedStores",
"classifier": "userSyncedStores",
"description": "get user's target store sync status",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:recover:userPassword",
"classifier": "userPassword",
"description": "Reset a user's password using a recovery code. Send a recovery code.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "dir:reset:userPassword",
"classifier": "userPassword",
"description": "Reset a user's password without requiring a recovery code.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "dir:set:userPassword",
"classifier": "userPassword",
"description": "Set a user's clear text or pre-encoded password and set a user's password authority.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "dir:unlock:userAccount",
"classifier": "userAccount",
"description": "Unlock a user account. Locked accounts cannot sign on to PingOne.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:unlock:userPassword",
"classifier": "userPassword",
"description": "Unlock a user's password. The password state is PASSWORD_LOCKED_OUT.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "dir:update:group",
"classifier": "group",
"description": "Update a group, including name, description, and user filter, which defines dynamic group membership. Adding users directly requires the Group Membership permission.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:update:user",
"classifier": "user",
"description": "Update a user account, including name, email address, and other attributes.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:update:userEnabled",
"classifier": "userEnabled",
"description": "Enable or disable a user. Disabled users cannot sign on to PingOne.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:update:userIdentityProvider",
"classifier": "userIdentityProvider",
"description": "Define the authoritative identity provider for a user. An authoritative identity provider has authority over user records and credentials.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:update:userMfaBypass",
"classifier": "userMfaBypass",
"description": "Specify an MFA bypass period for a user. The user will not be prompted to carry out MFA until after this period expires.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:update:userMfaEnabled",
"classifier": "userMfaEnabled",
"description": "Update the mfaEnabled status for a user. Specify whether MFA should be enabled for a user.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:update:userVerifyStatus",
"classifier": "userVerifyStatus",
"description": "Update a user's verification status.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:validate:userPassword",
"classifier": "userPassword",
"description": "Validate a user's password.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:verify:user",
"classifier": "user",
"description": "Verify a user using a verification code. Send verification codes. Verify a user's email address and send a verification email.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "identityProviders:read:identityProvider",
"classifier": "identityProvider",
"description": "Read identity provider (IdP) resources. External IdP connections allow users to authenticate to PingOne using credentials provided by the external IdP.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "idverifications:create:dataBasedIdentityVerification",
"classifier": "dataBasedIdentityVerification",
"description": "Create data-based identity verification. Data-based identity verification runs matching and fraud analysis against user data and returns all personally identifiable information (PII) and a data match confidence score.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:create:document",
"classifier": "document",
"description": "Submit a user-submitted document. User-submitted documents are government issued identity documents, such as a driver license or passport, used for identity verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:create:identityRecordMatching",
"classifier": "identityRecordMatching",
"description": "Create Identity Record Matching. Identity Record Matching compares two sets of identity data and returns a score of confidence that the data match.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:create:verifyPolicy",
"classifier": "verifyPolicy",
"description": "Create a PingOne Verify policy.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:create:verifyTransactions",
"classifier": "verifyTransactions",
"description": "Create a user verification transaction.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:create:voicePhrase",
"classifier": "voicePhrase",
"description": "Create the template that defines the phrase the user speaks during voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:create:voicePhraseContent",
"classifier": "voicePhraseContent",
"description": "Create the phrase that the user speaks aloud for voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:delete:document",
"classifier": "document",
"description": "Delete a user-submitted document. User-submitted documents are government issued identity documents, such as a driver license or passport, used for identity verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:delete:referenceData",
"classifier": "referenceData",
"description": "Delete data submitted by a user during a voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:delete:verifiedUserData",
"classifier": "verifiedUserData",
"description": "Delete verified user data from a verification transaction.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:delete:verifyPolicy",
"classifier": "verifyPolicy",
"description": "Delete a PingOne Verify policy.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:delete:verifyTransactions",
"classifier": "verifyTransactions",
"description": "Delete a user verification transaction.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:delete:voicePhrase",
"classifier": "voicePhrase",
"description": "Delete the template that defines the phrase the user speaks during voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:delete:voicePhraseContent",
"classifier": "voicePhraseContent",
"description": "Delete the phrase that the user speaks aloud for voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:get:document",
"classifier": "document",
"description": "Read user-submitted documents. User-submitted documents are government issued identity documents, such as a driver license or passport, used for identity verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:get:referenceData",
"classifier": "referenceData",
"description": "Read data submitted by a user during a voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:get:verifiedUserData",
"classifier": "verifiedUserData",
"description": "Read verified user data from a verification transaction.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:read:verifyPolicy",
"classifier": "verifyPolicy",
"description": "Read a PingOne Verify policy.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:read:verifyTransactions",
"classifier": "verifyTransactions",
"description": "Read a user verification transaction.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:read:voicePhrase",
"classifier": "voicePhrase",
"description": "Read the template that defines the phrase the user speaks during voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:read:voicePhraseContent",
"classifier": "voicePhraseContent",
"description": "Read the phrase that the user speaks aloud for voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:update:document",
"classifier": "document",
"description": "Update a user-submitted document. User-submitted documents are government issued identity documents, such as a driver license or passport, used for identity verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:update:verifiedUserData",
"classifier": "verifiedUserData",
"description": "Update verified user data from a verification transaction.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:update:verifyPolicy",
"classifier": "verifyPolicy",
"description": "Update a PingOne Verify policy.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:update:verifyTransactions",
"classifier": "verifyTransactions",
"description": "Update a user verification transaction.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:update:voicePhrase",
"classifier": "voicePhrase",
"description": "Update the template that defines the phrase the user speaks during voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:update:voicePhraseContent",
"classifier": "voicePhraseContent",
"description": "Update the phrase that the user speaks aloud for voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "image:create:image",
"classifier": "image",
"description": "Upload an image to PingOne for an environment. The image can be used by other services within the environment, such as user profile.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "image:delete:image",
"classifier": "image",
"description": "Delete any image that has been uploaded to PingOne for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "image:read:image",
"classifier": "image",
"description": "View any image that has been uploaded to PingOne for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "ldapGateway:execute:directLdap",
"classifier": "directLdap",
"description": "Allow specific clients, such as PingFederate and the PingOne DaVinci connector, to route LDAP operations through PingOne to your on-premise LDAP directories.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "ldapGateway:read:user",
"classifier": "user",
"description": "Read LDAP users using the LDAP gateway.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "ldapGateway:validate:kerberos",
"classifier": "kerberos",
"description": "Use Kerberos authentication through an LDAP gateway. Available only if you use Microsoft Active Directory as your LDAP directory.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "ldapGateway:validate:userPassword",
"classifier": "userPassword",
"description": "Check a user's password through a PingOne LDAP gateway. LDAP gateways connect PingOne with customer-managed LDAP directories.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "mfa:authenticate:device",
"classifier": "device",
"description": "Initiate device authentication.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:create:createTestDevice",
"classifier": "createTestDevice",
"description": "Create an MFA device for testing.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "mfa:create:device",
"classifier": "device",
"description": "Create an MFA device.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "mfa:create:pairingKey",
"classifier": "pairingKey",
"description": "Create a pairing key for an MFA device.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "mfa:delete:device",
"classifier": "device",
"description": "Delete an MFA device.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "mfa:delete:pairingKey",
"classifier": "pairingKey",
"description": "Delete the pairing key for an MFA device.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "mfa:read:device",
"classifier": "device",
"description": "Read MFA devices.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "mfa:read:pairingKey",
"classifier": "pairingKey",
"description": "Read pairing keys for MFA devices.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "mfa:update:device",
"classifier": "device",
"description": "Update an MFA device.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "notifications:reset:userQuota",
"classifier": "userQuota",
"description": "Reset notifications quota",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "osmosis:read:rule",
"classifier": "rule",
"description": "Read a provisioning rule. A provisioning rule defines which users are provisioned and how attributes are mapped between PingOne and the external identity store.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "permissions:create:groupRoleAssignments",
"classifier": "groupRoleAssignments",
"description": "Assign an admin role to a group.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "permissions:delete:groupRoleAssignments",
"classifier": "groupRoleAssignments",
"description": "Remove an admin role from a group.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "permissions:read:groupRoleAssignments",
"classifier": "groupRoleAssignments",
"description": "Read the admin roles that are assigned to a group.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "permissions:read:roles",
"classifier": "roles",
"description": "Read a list of custom roles for the environment.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "permissions:read:userRoleAssignments",
"classifier": "userRoleAssignments",
"description": "Read admin roles that are assigned to a user, including the role permissions.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "permissions:update:userRoleAssignments",
"classifier": "userRoleAssignments",
"description": "Update admin roles that are assigned to a user, including the role permissions.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"sensitive": true
},
{
"id": "pingid:read:activity",
"classifier": "activity",
"description": "Read PingID user last activity",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "pingid:read:integration",
"classifier": "integration",
"description": "Read PingID user integrations(services)",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:update:integration",
"classifier": "integration",
"description": "Update PingID user integration(service)",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "prediction:create:prediction",
"classifier": "prediction",
"description": "Create a prediction",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "radiusGateway:read:session",
"classifier": "session",
"description": "Read radius session details for audit purposes",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:create:evaluation",
"classifier": "evaluation",
"description": "Create a risk evaluation, which is used to calculate the risk level and other risk-related details associated with an event.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:create:feedback",
"classifier": "feedback",
"description": "Create risk feedback",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:read:evaluation",
"classifier": "evaluation",
"description": "Read risk evaluation details. Risk evaluations are used to calculate the risk level and other risk-related details associated with an event.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:read:policy",
"classifier": "policy",
"description": "Read risk policies, which are used in risk evaluations.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:read:predictor",
"classifier": "predictor",
"description": "Read risk predictors, which are used in risk policies.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:update:evaluation",
"classifier": "evaluation",
"description": "Update a risk evaluation with the completion status to allow the learning mechanism to improve risk evaluation precision.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "riskDetection:create:evaluation",
"classifier": "evaluation",
"description": "Create detection evaluations for risk service",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "scim:create:user",
"classifier": "user",
"description": "Create a user in the environment using the SCIM API.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "scim:delete:user",
"classifier": "user",
"description": "Delete a user from the environment using the SCIM API.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "scim:read:schema",
"classifier": "schema",
"description": "Read the schema for the environment, including its attributes, using the SCIM API. A schema defines the user attributes in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "scim:read:user",
"classifier": "user",
"description": "Read a list of users in the environment using the SCIM API.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "scim:update:user",
"classifier": "user",
"description": "Update a user account, including name, email address, and other attributes, using the SCIM API.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "visualization:create:exploration",
"classifier": "exploration",
"description": "Create a data exploration object for use with dashboards and report generation.",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:authentication",
"classifier": "authentication",
"description": "View the Authentication dashboard. The Authentication dashboard shows a summary of sign-on activity through PingOne and additional authentication metrics for the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "visualization:read:dashboard",
"classifier": "dashboard",
"description": "See dashboards",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:exploration",
"classifier": "exploration",
"description": "Read the data for a data exploration object. Data exploration objects are used with dashboards and report generation.",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:template",
"classifier": "template",
"description": "Read data exploration template",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:userDemographics",
"classifier": "userDemographics",
"description": "Read the User Demographics dashboard and user demographic data. User demographic data provides information on the distribution of users by population and operating system and browser usage by service.",
"applicableTo": [
"ENVIRONMENT"
]
}
],
"canAssign": [
{
"id": "0bd6b966-7664-4ac1-b059-0ff9293908e2"
},
{
"id": "ce00e15f-f845-4df1-abf3-fdc4ff4e176c"
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/ce00e15f-f845-4df1-abf3-fdc4ff4e176c"
}
},
"id": "ce00e15f-f845-4df1-abf3-fdc4ff4e176c",
"name": "Identity Data Read Only",
"description": "A subset of the Identity Data Admin role, but with read-only permissions. For example, the Identity Data Admin role can read, update, and delete users, but the Identity Data Read Only role can read user data only. Admins with the Identity Data Admin or Identity Data Read Only role can assign the Identity Data Read Only role to users.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
],
"permissions": [
{
"id": "admin:read:config",
"classifier": "config",
"description": "Read the administrator security settings used for accessing the admin console.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "agreements:read:oauthConsent",
"classifier": "oauthConsent",
"description": "Read the OAuth consent history for a user.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "agreements:read:userConsent",
"classifier": "userConsent",
"description": "Read the consent history for a user, including agreement names, language, and date of consent.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "applicationRoles:read:applicationEntitlement",
"classifier": "applicationEntitlement",
"description": "Query a user's entitled application permissions, which control the actions the user can take in applications and APIs. Application permissions are defined on resources and assigned through application roles.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationPermission",
"classifier": "applicationPermission",
"description": "List application permissions and read permission details, including permission descriptions, actions, and resources.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationResource",
"classifier": "applicationResource",
"description": "List application resources and read resource details, including resource names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRole",
"classifier": "applicationRole",
"description": "List application roles and read role details, including role names and descriptions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRoleAssignment",
"classifier": "applicationRoleAssignment",
"description": "Read application roles that are assigned to a user, including the role permissions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "applicationRoles:read:applicationRoleEntry",
"classifier": "applicationRoleEntry",
"description": "List permissions for an application role.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "audit_reporting:read:activity",
"classifier": "activity",
"description": "Access to the audit report and event content including PII.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authn:read:sessions",
"classifier": "sessions",
"description": "Read all sessions for a particular user.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "certmgt:read:certificate",
"classifier": "certificate",
"description": "Read the metadata for a certificate and export the certificate as an X509 certificate. Certificates are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:credentialSigningKey",
"classifier": "credentialSigningKey",
"description": "Read a credential signing key for an environment. Credential signing keys sign a verifiable credential using a customer-provided service.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:credentialType",
"classifier": "credentialType",
"description": "Read a credential type for an environment. A credential type defines a template that is used when creating or updating a user credential.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:credentials",
"classifier": "credentials",
"description": "Read a credential. Credentials allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation..",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:read:digitalWallet",
"classifier": "digitalWallet",
"description": "Read a digital wallet for a user. A digital wallet links an instance of a digital wallet application to a user. ",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "credentialsIssuance:read:digitalWalletApplication",
"classifier": "digitalWalletApplication",
"description": "Read a digital wallet application. A digital wallet application defines the relationship between a user's digital wallet and a customer's PingOne application.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:issuanceRule",
"classifier": "issuanceRule",
"description": "Read an issuance rule for a credential type. Issuance rules are used to issue credentials to a specified group, population or SCIM filter.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:issuerProfile",
"classifier": "issuerProfile",
"description": "Read the environment profile used for issuing user credentials.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsIssuance:read:stagedChanges",
"classifier": "stagedChanges",
"description": "Read staged changes for an issuance rule. Staged changes show actions for an issuance rule that are staged for execution.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "credentialsVerification:read:presentationSession",
"classifier": "presentationSession",
"description": "Read a Verification Session. Verification Sessions allow providers of services to verify authenticity and accuracy of issuance and data integrity at the time of presentation.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "devices:read:seenDevice",
"classifier": "seenDevice",
"description": "Read accessing device",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "devices:read:userSeenDevice",
"classifier": "userSeenDevice",
"description": "Read user association with accessing device",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:group",
"classifier": "group",
"description": "Read a group in the environment. Groups are used to organize a collection of user identities.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:groupMembership",
"classifier": "groupMembership",
"description": "Read the group membership for a user.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:groupSyncedRules",
"classifier": "groupSyncedRules",
"description": "get group's provisioning rule sync status",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:passwordPolicy",
"classifier": "passwordPolicy",
"description": "Read a list of password policies for the environment. A password policy dictates the strength and complexity requirements for a password or passphrase.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:read:population",
"classifier": "population",
"description": "Read a list of populations in the environment. A population defines a set of users, and a user can belong to one population only.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:schema",
"classifier": "schema",
"description": "Read the schema for the environment, including its attributes. A schema defines the user attributes in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "dir:read:user",
"classifier": "user",
"description": "Read a list of users in the environment.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:userLinkedAccounts",
"classifier": "userLinkedAccounts",
"description": "Read accounts linked to a user. A linked account is tied to a third-party identity provider for authentication.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:userPassword",
"classifier": "userPassword",
"description": "Read a user's password state. The password state values can include OK, PASSWORD_LOCKED_OUT, and PASSWORD_EXPIRED.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "dir:read:userSyncedStores",
"classifier": "userSyncedStores",
"description": "get user's target store sync status",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "identityProviders:read:identityProvider",
"classifier": "identityProvider",
"description": "Read identity provider (IdP) resources. External IdP connections allow users to authenticate to PingOne using credentials provided by the external IdP.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "idverifications:read:verifyPolicy",
"classifier": "verifyPolicy",
"description": "Read a PingOne Verify policy.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:read:verifyTransactions",
"classifier": "verifyTransactions",
"description": "Read a user verification transaction.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "idverifications:read:voicePhrase",
"classifier": "voicePhrase",
"description": "Read the template that defines the phrase the user speaks during voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "idverifications:read:voicePhraseContent",
"classifier": "voicePhraseContent",
"description": "Read the phrase that the user speaks aloud for voice verification.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "image:read:image",
"classifier": "image",
"description": "View any image that has been uploaded to PingOne for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "ldapGateway:read:user",
"classifier": "user",
"description": "Read LDAP users using the LDAP gateway.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "mfa:read:device",
"classifier": "device",
"description": "Read MFA devices.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "mfa:read:pairingKey",
"classifier": "pairingKey",
"description": "Read pairing keys for MFA devices.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "osmosis:read:rule",
"classifier": "rule",
"description": "Read a provisioning rule. A provisioning rule defines which users are provisioned and how attributes are mapped between PingOne and the external identity store.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "permissions:read:groupRoleAssignments",
"classifier": "groupRoleAssignments",
"description": "Read the admin roles that are assigned to a group.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "permissions:read:roles",
"classifier": "roles",
"description": "Read a list of custom roles for the environment.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "permissions:read:userRoleAssignments",
"classifier": "userRoleAssignments",
"description": "Read admin roles that are assigned to a user, including the role permissions.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "pingid:read:activity",
"classifier": "activity",
"description": "Read PingID user last activity",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "pingid:read:integration",
"classifier": "integration",
"description": "Read PingID user integrations(services)",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "radiusGateway:read:session",
"classifier": "session",
"description": "Read radius session details for audit purposes",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:read:evaluation",
"classifier": "evaluation",
"description": "Read risk evaluation details. Risk evaluations are used to calculate the risk level and other risk-related details associated with an event.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:read:policy",
"classifier": "policy",
"description": "Read risk policies, which are used in risk evaluations.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "risk:read:predictor",
"classifier": "predictor",
"description": "Read risk predictors, which are used in risk policies.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "scim:read:schema",
"classifier": "schema",
"description": "Read the schema for the environment, including its attributes, using the SCIM API. A schema defines the user attributes in the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "scim:read:user",
"classifier": "user",
"description": "Read a list of users in the environment using the SCIM API.",
"applicableTo": [
"ENVIRONMENT",
"POPULATION"
]
},
{
"id": "visualization:create:exploration",
"classifier": "exploration",
"description": "Create a data exploration object for use with dashboards and report generation.",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:authentication",
"classifier": "authentication",
"description": "View the Authentication dashboard. The Authentication dashboard shows a summary of sign-on activity through PingOne and additional authentication metrics for the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "visualization:read:dashboard",
"classifier": "dashboard",
"description": "See dashboards",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:exploration",
"classifier": "exploration",
"description": "Read the data for a data exploration object. Data exploration objects are used with dashboards and report generation.",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:template",
"classifier": "template",
"description": "Read data exploration template",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:userDemographics",
"classifier": "userDemographics",
"description": "Read the User Demographics dashboard and user demographic data. User demographic data provides information on the distribution of users by population and operating system and browser usage by service.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/1813bc13-8d13-4e88-a825-d40bfe82777b"
}
},
"id": "1813bc13-8d13-4e88-a825-d40bfe82777b",
"name": "Organization Admin",
"description": "A role for managing the entire organization. The permissions for an organization administrator are centered around managing organizations and include functions like creating, editing, and deleting organizations and environments.",
"applicableTo": [
"ORGANIZATION"
],
"permissions": [
{
"id": "admin:read:config",
"classifier": "config",
"description": "Read the administrator security settings used for accessing the admin console.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "admin:update:config",
"classifier": "config",
"description": "Update the administrator security settings used for accessing the admin console.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "authz:authorize:decisionendpoint",
"classifier": "decisionendpoint",
"description": "Make a decision request to a decision endpoint, initiating evaluation of policies deployed to the endpoint.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:create:adaptiveTrustPolicy",
"classifier": "adaptiveTrustPolicy",
"description": "Create an adaptive access policy. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:adaptiveTrustPolicyAssignment",
"classifier": "adaptiveTrustPolicyAssignment",
"description": "Assign an adaptive access policy to an application. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:authorizationAttribute",
"classifier": "authorizationAttribute",
"description": "Create an authorization attribute in the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:authorizationCondition",
"classifier": "authorizationCondition",
"description": "Create an authorization condition in the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:authorizationPolicy",
"classifier": "authorizationPolicy",
"description": "Create an authorization policy. Authorization policies define the context and logic used to control access to application resources.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:authorizationProcessor",
"classifier": "authorizationProcessor",
"description": "Create an authorization processor in the Trust Framework. Authorization processors transform data returned from authorization attributes and services.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:authorizationRule",
"classifier": "authorizationRule",
"description": "Create an authorization rule. Authorization rules use conditions or in-line comparisons to define authorization policy logic.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:authorizationService",
"classifier": "authorizationService",
"description": "Create an authorization service in the Trust Framework. Authorization services connect to data sources used in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:authorizationStatement",
"classifier": "authorizationStatement",
"description": "Create an authorization statement. Authorization statements provide additional processing instructions in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:decisionendpoint",
"classifier": "decisionendpoint",
"description": "Create a decision endpoint, which provides an environment for authorization policy deployment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:create:entity",
"classifier": "entity",
"description": "Create an authorization service, attribute, condition, processor, policy set, policy, rule, statement, or target.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:delete:adaptiveTrustPolicy",
"classifier": "adaptiveTrustPolicy",
"description": "Delete an adaptive access policy. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:adaptiveTrustPolicyAssignment",
"classifier": "adaptiveTrustPolicyAssignment",
"description": "Delete adaptive access policy assignments from an application. Policy assignments control which policies the application uses for adaptive access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:authorizationAttribute",
"classifier": "authorizationAttribute",
"description": "Delete an authorization attribute from the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:authorizationCondition",
"classifier": "authorizationCondition",
"description": "Delete an authorization condition from the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:authorizationPolicy",
"classifier": "authorizationPolicy",
"description": "Delete an authorization policy. Authorization policies define the context and logic used to control access to application resources.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:authorizationProcessor",
"classifier": "authorizationProcessor",
"description": "Delete an authorization processor from the Trust Framework. Authorization processors transform data returned from authorization attributes and services.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:authorizationRule",
"classifier": "authorizationRule",
"description": "Delete an authorization rule. Authorization rules use conditions or in-line comparisons to define authorization policy logic.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:authorizationService",
"classifier": "authorizationService",
"description": "Delete an authorization service from the Trust Framework. Authorization services connect to data sources used in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:authorizationStatement",
"classifier": "authorizationStatement",
"description": "Delete an authorization statement. Authorization statements provide additional processing instructions in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:decisionendpoint",
"classifier": "decisionendpoint",
"description": "Delete a decision endpoint and any recent decisions stored for the endpoint.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:entity",
"classifier": "entity",
"description": "Delete an authorization service, attribute, condition, processor, policy set, policy, rule, statement, or target.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:delete:tag",
"classifier": "tag",
"description": "Delete an authorization version name.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:adaptiveTrustPolicy",
"classifier": "adaptiveTrustPolicy",
"description": "Read configuration details for adaptive access policies. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:adaptiveTrustPolicyAssignment",
"classifier": "adaptiveTrustPolicyAssignment",
"description": "Read adaptive access policy assignments for an application. Policy assignments control which policies the application uses for adaptive access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationAttribute",
"classifier": "authorizationAttribute",
"description": "Read configuration details for authorization attributes in the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationCondition",
"classifier": "authorizationCondition",
"description": "Read configuration details for authorization conditions in the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationPolicy",
"classifier": "authorizationPolicy",
"description": "Read configuration details for authorization policies. Authorization policies define the context and logic used to control access to application resources.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationProcessor",
"classifier": "authorizationProcessor",
"description": "Read configuration details for authorization processors in the Trust Framework. Authorization processors transform data returned from authorization attributes and services.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationRule",
"classifier": "authorizationRule",
"description": "Read configuration details for authorization rules. Authorization rules use conditions or in-line comparisons to define authorization policy logic.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationService",
"classifier": "authorizationService",
"description": "Read configuration details for authorization services in the Trust Framework. Authorization services connect to data sources used in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizationStatement",
"classifier": "authorizationStatement",
"description": "Read configuration details for authorization statements. Authorization statements provide additional processing instructions in authorization decisions.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:authorizeDeployment",
"classifier": "authorizeDeployment",
"description": "Read PingOne Authorize Gateway Deployment",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:decisionendpoint",
"classifier": "decisionendpoint",
"description": "Read details for a decision endpoint, including its name, description, policy version deployed, and whether recent decisions are recorded.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "authz:read:deploymentpackage",
"classifier": "deploymentpackage",
"description": "Read the deployment package of policies and Trust Framework definitions associated with a specific authorization version.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:read:entity",
"classifier": "entity",
"description": "Read details about an authorization service, attribute, condition, processor, policy set, policy, rule, statement, or target.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:recentdecisions",
"classifier": "recentdecisions",
"description": "Read details about the decision flow and elements used in recent decisions for a decision endpoint.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:tag",
"classifier": "tag",
"description": "Read an authorization version name.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:read:version",
"classifier": "version",
"description": "Read details about an authorization version, including the entity that changed, the date and time, and the user who made the change.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "authz:test:authorizationAttribute",
"classifier": "authorizationAttribute",
"description": "Test an authorization attribute in the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:test:authorizationCondition",
"classifier": "authorizationCondition",
"description": "Test an authorization condition in the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:test:authorizationPolicy",
"classifier": "authorizationPolicy",
"description": "Test an authorization policy. Authorization policies define the context and logic used to control access to application resources.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:test:authorizationRule",
"classifier": "authorizationRule",
"description": "Test an authorization rule. Authorization rules use conditions or in-line comparisons to define authorization policy logic.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:test:authorizationService",
"classifier": "authorizationService",
"description": "Test an authorization service in the Trust Framework. Authorization services connect to data sources used in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:test:entity",
"classifier": "entity",
"description": "Test an authorization service, attribute, condition, policy set, policy, or library rule.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:adaptiveTrustPolicy",
"classifier": "adaptiveTrustPolicy",
"description": "Update an adaptive access policy. Adaptive access policies define contextual rules for access to applications.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:authorizationAttribute",
"classifier": "authorizationAttribute",
"description": "Update an authorization attribute in the Trust Framework. Authorization attributes provide contextual information used in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:authorizationCondition",
"classifier": "authorizationCondition",
"description": "Update an authorization condition in the Trust Framework. Authorization conditions use comparisons to define authorization policy logic.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:authorizationPolicy",
"classifier": "authorizationPolicy",
"description": "Update an authorization policy. Authorization policies define the context and logic used to control access to application resources.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:authorizationProcessor",
"classifier": "authorizationProcessor",
"description": "Update an authorization processor in the Trust Framework. Authorization processors transform data returned from authorization attributes and services.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:authorizationRule",
"classifier": "authorizationRule",
"description": "Update an authorization rule. Authorization rules use conditions or in-line comparisons to define authorization policy logic.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:authorizationService",
"classifier": "authorizationService",
"description": "Update an authorization service in the Trust Framework. Authorization services connect to data sources used in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:authorizationStatement",
"classifier": "authorizationStatement",
"description": "Update an authorization statement. Authorization statements provide additional processing instructions in authorization decisions.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:decisionendpoint",
"classifier": "decisionendpoint",
"description": "Update details for a decision endpoint, including its name, description, policy version deployed, and whether recent decisions are recorded.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:entity",
"classifier": "entity",
"description": "Update an authorization service, attribute, condition, processor, policy set, policy, rule, statement, or target.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "authz:update:tag",
"classifier": "tag",
"description": "Create or update an authorization version name.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "bootstrap:create:bootstrap",
"classifier": "bootstrap",
"description": "Start a bootstrap execution for provisioning.",
"applicableTo": [
"ORGANIZATION",
"PLATFORM"
]
},
{
"id": "bootstrap:read:bootstrap",
"classifier": "bootstrap",
"description": "Check bootstrap execution status by invoking the GET endpoint.",
"applicableTo": [
"ORGANIZATION",
"PLATFORM"
]
},
{
"id": "certmgt:create:key",
"classifier": "key",
"description": "Create a new key pair. Key pairs are security credentials that PingOne uses for encryption and signing.",
"applicableTo": [
"ENVIRONMENT"
],
"sensitive": true
},
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "earlyAccess:read:features",
"classifier": "features",
"description": "Read the early access features applicable to an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "earlyAccess:update:features",
"classifier": "features",
"description": "Opt-in or opt-out of early access features available for an environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "identitycloud:create:orchestration",
"classifier": "orchestration",
"description": "Create an Advanced Identity Cloud orchestration in a specific environment",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "identitycloud:update:orchestration",
"classifier": "orchestration",
"description": "Update an Advanced Identity Cloud orchestration in a specific environment",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "integrations:read:integration",
"classifier": "integration",
"description": "Read a list of product integration kits, versions, and items in the application catalog.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "licensing:update:environmentLicense",
"classifier": "environmentLicense",
"description": "Update environment licenses",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "licensing:update:mutableProperties",
"classifier": "mutableProperties",
"description": "Edit the attributes for a license, including the license name or environment assignment.",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "orgmgt:create:deployment",
"classifier": "deployment",
"description": "Create deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "orgmgt:create:environment",
"classifier": "environment",
"description": "Create an environment to include a set of services and capabilities. Define the name and description, and include license information. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "orgmgt:delete:environment",
"classifier": "environment",
"description": "Delete an environment and all of its associated resources, such as applications, users, and branding. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "orgmgt:promote:environment",
"classifier": "environment",
"description": "Promote an environment from sandbox to production. A sandbox environment is used to test functionality before deploying to production.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:update:environment",
"classifier": "environment",
"description": "Update environment properties to add or remove services, change the environment name or description, or update license information. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "osmosis:read:rule",
"classifier": "rule",
"description": "Read a provisioning rule. A provisioning rule defines which users are provisioned and how attributes are mapped between PingOne and the external identity store.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "permissions:create:roles",
"classifier": "roles",
"description": "Create a custom role for the environment.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "permissions:delete:roles",
"classifier": "roles",
"description": "Remove a custom role from the environment.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "permissions:read:roles",
"classifier": "roles",
"description": "Read a list of custom roles for the environment.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "permissions:update:roles",
"classifier": "roles",
"description": "Update the permissions that are included in a custom role for the environment.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"sensitive": true
},
{
"id": "pingenterprise:create:orchestration",
"classifier": "orchestration",
"description": "Creates a Orchestration flow for Ping Enterprise deployment",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "pingenterprise:delete:orchestration",
"classifier": "orchestration",
"description": "Deletes Orchestration flow for Ping Enterprise deployment",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "pingenterprise:read:orchestration",
"classifier": "orchestration",
"description": "Retrieve Orchestration flow for Ping Enterprise deployment",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "pingenterprise:update:orchestration",
"classifier": "orchestration",
"description": "Updates Orchestration flow for Ping Enterprise deployment",
"applicableTo": [
"ORGANIZATION",
"PLATFORM"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:validate:migration",
"classifier": "migration",
"description": "Validate resources such as PingID authentication policies before integrating PingID with PingOne.",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "pingintelligence:create:orchestration",
"classifier": "orchestration",
"description": "Creates a Orchestration flow for Ping Intelligence deployment",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "pingintelligence:delete:orchestration",
"classifier": "orchestration",
"description": "Deletes Orchestration flow for Ping Intelligence deployment",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "pingintelligence:read:orchestration",
"classifier": "orchestration",
"description": "Retrieve Orchestration flow for Ping Intelligence deployment",
"applicableTo": [
"ORGANIZATION"
]
},
{
"id": "pingintelligence:update:orchestration",
"classifier": "orchestration",
"description": "Updates Orchestration flow for Ping Intelligence deployment",
"applicableTo": [
"ORGANIZATION",
"PLATFORM"
]
},
{
"id": "visualization:create:exploration",
"classifier": "exploration",
"description": "Create a data exploration object for use with dashboards and report generation.",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:authentication",
"classifier": "authentication",
"description": "View the Authentication dashboard. The Authentication dashboard shows a summary of sign-on activity through PingOne and additional authentication metrics for the environment.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "visualization:read:dashboard",
"classifier": "dashboard",
"description": "See dashboards",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:exploration",
"classifier": "exploration",
"description": "Read the data for a data exploration object. Data exploration objects are used with dashboards and report generation.",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:template",
"classifier": "template",
"description": "Read data exploration template",
"applicableTo": [
"ENVIRONMENT",
"PLATFORM"
]
},
{
"id": "visualization:read:userDemographics",
"classifier": "userDemographics",
"description": "Read the User Demographics dashboard and user demographic data. User demographic data provides information on the distribution of users by population and operating system and browser usage by service.",
"applicableTo": [
"ENVIRONMENT"
]
}
],
"canAssign": [
{
"id": "e334b5c7-3d81-4eaf-9bf5-e2422ef225fb"
},
{
"id": "bd208a53-d370-4767-af35-41da7e95e749"
},
{
"id": "c44ba454-adff-4075-89a0-475b69be23a0"
},
{
"id": "c8731786-f44c-4b94-b120-adb3c6d54e66"
},
{
"id": "55a166ae-66e6-4328-9470-38f8001aa09b"
},
{
"id": "1e333a95-8005-4edf-8019-0d07d6afe51e"
},
{
"id": "e1d2612e-252c-4a1f-a953-fd26e349be16"
},
{
"id": "c8facf98-7e92-48ee-a5a0-0365be0bced3"
},
{
"id": "6f770b08-793f-4393-b2aa-b1d1587a0324"
},
{
"id": "360387d3-d523-40ed-a52f-17ea95bafc16"
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/c65f13f5-f42c-4ffc-aa3a-4858d4ac3f6d"
}
},
"id": "c65f13f5-f42c-4ffc-aa3a-4858d4ac3f6d",
"name": "PingFederate Administrator",
"description": "Configure partner connections and most system settings, except the management of local accounts and the handling of local keys and certificates.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "pingfederate:admin:system",
"classifier": "system",
"description": "Used only for SSO to PingFederate. Enables the PingFederate Administrator role for the PingOne admin in PingFederate.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/b812ab8e-8fbc-45a9-b965-136849148040"
}
},
"id": "b812ab8e-8fbc-45a9-b965-136849148040",
"name": "PingFederate Auditor",
"description": "View-only permissions for all administrative functions.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "pingfederate:admin:auditor",
"classifier": "auditor",
"description": "Used only for SSO to PingFederate. Enables the PingFederate Auditor role for the PingOne admin in PingFederate.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/03643153-e396-4c35-b527-ac05b43a64fb"
}
},
"id": "03643153-e396-4c35-b527-ac05b43a64fb",
"name": "PingFederate Crypto Administrator",
"description": "Manage local keys and certificates.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "pingfederate:admin:crypto",
"classifier": "crypto",
"description": "Used only for SSO to PingFederate. Enables the PingFederate Crypto Administrator role for the PingOne admin in PingFederate.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/ec21ef32-0885-4210-8fe3-247bc2f40e7d"
}
},
"id": "ec21ef32-0885-4210-8fe3-247bc2f40e7d",
"name": "PingFederate Expression Administrator",
"description": "Map user attributes by using the OGNL (Object-Graph Navigation Language) expression language.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "pingfederate:admin:expressions",
"classifier": "expressions",
"description": "Used only for SSO to PingFederate. Enables the PingFederate Expressions Administrator role for the PingOne admin in PingFederate.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingfederate:admin:system",
"classifier": "system",
"description": "Used only for SSO to PingFederate. Enables the PingFederate Administrator role for the PingOne admin in PingFederate.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
],
"canAssign": [
{
"id": "c65f13f5-f42c-4ffc-aa3a-4858d4ac3f6d"
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/6f6793ad-4a5a-421b-8867-406ebee618de"
}
},
"id": "6f6793ad-4a5a-421b-8867-406ebee618de",
"name": "PingFederate User Administrator",
"description": "Create users, deactivate users, change or reset passwords, and install replacement license keys.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "console:display:environmentProperties",
"classifier": "environmentProperties",
"description": "View the environment properties page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "pingfederate:admin:auditor",
"classifier": "auditor",
"description": "Used only for SSO to PingFederate. Enables the PingFederate Auditor role for the PingOne admin in PingFederate.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingfederate:admin:users",
"classifier": "users",
"description": "Used only for SSO to PingFederate. Enables the PingFederate Users Administrator role for the PingOne admin in PingFederate.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
],
"canAssign": [
{
"id": "b812ab8e-8fbc-45a9-b965-136849148040"
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/e334b5c7-3d81-4eaf-9bf5-e2422ef225fb"
}
},
"id": "e334b5c7-3d81-4eaf-9bf5-e2422ef225fb",
"name": "PingOne for Enterprise Application Administrator",
"description": "Used only for SSO to PingOne for Enterprise. A read-only role for viewing the specific applications the user is assigned in PingOne for Enterprise. An administrator must also have the PingOne for Enterprise Editing Access role to enable write access for this role.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "p14e:admin:application",
"classifier": "application",
"description": "Used only for SSO to PingOne for Enterprise. Enables Application Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/55a166ae-66e6-4328-9470-38f8001aa09b"
}
},
"id": "55a166ae-66e6-4328-9470-38f8001aa09b",
"name": "PingOne for Enterprise Audit & Report Administrator",
"description": "Used only for SSO to PingOne for Enterprise. A read-only role for viewing subscriptions for audit events and running reports in PingOne for Enterprise. An administrator must also have the PingOne for Enterprise Editing Access role to enable write access for this role.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "p14e:admin:auditReport",
"classifier": "auditReport",
"description": "Used only for SSO to PingOne for Enterprise. Enables Audit & Report Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/360387d3-d523-40ed-a52f-17ea95bafc16"
}
},
"id": "360387d3-d523-40ed-a52f-17ea95bafc16",
"name": "PingOne for Enterprise Global Administrator",
"description": "Used only for SSO to PingOne for Enterprise. A read-only role with full permissions to view all aspects of the account and the admin portal, including the ability to manage all group and role assignments in PingOne for Enterprise. An administrator must also have the PingOne for Enterprise Editing Access role to enable write access for this role.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "p14e:admin:global",
"classifier": "global",
"description": "Used only for SSO to PingOne for Enterprise. Enables Global Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
],
"canAssign": [
{
"id": "e334b5c7-3d81-4eaf-9bf5-e2422ef225fb"
},
{
"id": "bd208a53-d370-4767-af35-41da7e95e749"
},
{
"id": "c44ba454-adff-4075-89a0-475b69be23a0"
},
{
"id": "c8731786-f44c-4b94-b120-adb3c6d54e66"
},
{
"id": "55a166ae-66e6-4328-9470-38f8001aa09b"
},
{
"id": "1e333a95-8005-4edf-8019-0d07d6afe51e"
},
{
"id": "e1d2612e-252c-4a1f-a953-fd26e349be16"
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/bd208a53-d370-4767-af35-41da7e95e749"
}
},
"id": "bd208a53-d370-4767-af35-41da7e95e749",
"name": "PingOne for Enterprise Identity Repository Administrator",
"description": "Used only for SSO to PingOne for Enterprise. A read-only role for viewing the configuration of identity repositories in PingOne for Enterprise. An administrator must also have the PingOne for Enterprise Editing Access role to enable write access for this role.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "p14e:admin:identityRepository",
"classifier": "identityRepository",
"description": "Used only for SSO to PingOne for Enterprise. Enables Identity Repository Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/c44ba454-adff-4075-89a0-475b69be23a0"
}
},
"id": "c44ba454-adff-4075-89a0-475b69be23a0",
"name": "PingOne for Enterprise PingID Device Administrator",
"description": "Used only for SSO to PingOne for Enterprise. A read-only role for viewing the Users > Users by Service > PingID page in PingOne for Enterprise. An administrator must also have the PingOne for Enterprise Editing Access role to enable write access for this role.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "p14e:admin:device",
"classifier": "device",
"description": "Used only for SSO to PingOne for Enterprise. Enables PingID Device Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/1e333a95-8005-4edf-8019-0d07d6afe51e"
}
},
"id": "1e333a95-8005-4edf-8019-0d07d6afe51e",
"name": "PingOne for Enterprise SaaS Administrator",
"description": "Used only for SSO to PingOne for Enterprise. A read-only role for viewing the Application Catalog and application connections in PingOne for Enterprise. An administrator must also have the PingOne for Enterprise Editing Access role to enable write access for this role.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "p14e:admin:saas",
"classifier": "saas",
"description": "Used only for SSO to PingOne for Enterprise. Enables SaaS Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/c8731786-f44c-4b94-b120-adb3c6d54e66"
}
},
"id": "c8731786-f44c-4b94-b120-adb3c6d54e66",
"name": "PingOne for Enterprise Service User Administrator",
"description": "Used only for SSO to PingOne for Enterprise. A read-only role for viewing the services a user can use in PingOne for Enterprise. To enable write access for this role, an administrator must also have the PingOne for Enterprise Editing Access role.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "p14e:admin:serviceUser",
"classifier": "serviceUser",
"description": "Used only for SSO to PingOne for Enterprise. Enables Service User Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
},
{
"_links": {
"self": {
"href": "https://api.pingone.com/v1/roles/e1d2612e-252c-4a1f-a953-fd26e349be16"
}
},
"id": "e1d2612e-252c-4a1f-a953-fd26e349be16",
"name": "PingOne for Enterprise Support Administrator (MSP only)",
"description": "Used only for SSO to PingOne for Enterprise for Managed Service Providers. A read-only role for viewing the admin portal in PingOne for Enterprise for Managed Service Providers. An administrator must also have the PingOne for Enterprise Editing Access role to enable write access for this role.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
],
"permissions": [
{
"id": "console:display:environmentOverview",
"classifier": "environmentOverview",
"description": "View the environment overview page in the administrator console. This permission only affects visibility in the administrator console and not API access.",
"applicableTo": [
"ORGANIZATION",
"ENVIRONMENT"
]
},
{
"id": "globalregistry:read:console",
"classifier": "console",
"description": "Access to PingOne administrator console.",
"applicableTo": [
"ENVIRONMENT",
"ORGANIZATION"
]
},
{
"id": "licensing:read:license",
"classifier": "license",
"description": "Read license information for the organization.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:deployment",
"classifier": "deployment",
"description": "Read deployments for other Ping products in the PingOne environment. These other products might require additional configuration outside of PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "orgmgt:read:environment",
"classifier": "environment",
"description": "Read a list of the environments that a user belongs to. Environments are the primary subdivision of an organization.",
"applicableTo": [
"ENVIRONMENT"
],
"essential": true
},
{
"id": "orgmgt:read:organization",
"classifier": "organization",
"description": "Read the organization that a user belongs to. A user can belong to one organization only. The organization is the top-level identifier in PingOne.",
"applicableTo": [
"ORGANIZATION"
],
"essential": true
},
{
"id": "p14e:admin:support",
"classifier": "support",
"description": "Used only for SSO to PingOne for Enterprise. Enables Global Administrator role with read-only access for the PingOne admin in PingOne for Enterprise. For write access, you must also add the PingOne for Enterprise Editing Access permission.",
"applicableTo": [
"ENVIRONMENT"
]
},
{
"id": "pingid:read:migration",
"classifier": "migration",
"description": "Check the status of the integration of PingID with PingOne.",
"applicableTo": [
"ENVIRONMENT"
]
}
]
}
]
},
"count": 28,
"size": 28
}