Roles

An administrator role is a collection of permissions that you can assign to a user or application in PingOne. There are two types of administrator roles in PingOne:

• Built-in roles

  PingOne provides several built-in administrator roles, such as Environment Admin, Application Owner, and Organization Admin. These roles provide access to a wide variety of resources at multiple levels within PingOne. They are read-only and can't be modified.

• Custom roles

  You can create custom administrator roles to delegate administration of particular resources in an environment and provide least-privileged access to those resources. Using custom roles offers more granular control over the permissions you can assign to the identity/principal (e.g. user, application, etc.) you are using.

For more information on administrator roles, see Administrator Roles from the PingOne documentation.

Permissions

Permissions represent actions and the resources/entities (e.g. Users, Applications, etc.) that those actions can be performed in. For more information on permissions, refer to PingOne Permissions by Identifier from the PingOne Platform API documentation.

Using Roles

When the server requests access on behalf of the user (for example when using a redirect-based authentication scheme like OAuth), the user's permissions (which are inherited from the administrator roles assigned to the user) are used. Similar to this, when the server requests access on behalf of the application (for example when using the OAuthClient authentication scheme), the application's permissions are used instead.

To authenticate and use the server to query data on the entities we expose (see Data Model), at the bare minimum you must configure the following built-in administrator roles for your user/application:

Environment-level Administrator Roles

• Client Application Developer
• Identity Data Admin
• Environment Admin

, for at least 1 environment.

To see the list of built-in roles and permissions required for performing an operation on the entities exposed by the server, see entity-specific information for each entity in Data Model.

PingOne Limitations

Access to a worker application's client secret requires having a superset of the worker application's role assignments. Initially, the worker application is granted all the role assignments of the admin (or worker app) that created it, which gives the admin access to the worker application's secret (or any other admin with a superset of those role assignments).

However, if the worker application ever gains new role assignments (for example, by creating a new environment and being granted role assignments to cover the new environment), then this may mean that the admin who originally created the worker application can no longer access its secret.

For further information, see the Worker applications and environments section of the PingOne Platform API's Administrator permissions and role assignments chapter.

Because of this limitation, we recommend that you reserve the worker application that you have created to be used only by the server and not modify it anywhere else, otherwise you risk not being able to access that application's client secret.