---
title: Adding PingAuthorize access control rules
description: Add an access control rule to contact PingAuthorize or PingOne Authorize for access information. An access control rule can grant or deny access and can modify the request, based on the response from the PingAuthorize request application programming interface (API).
component: pingaccess
version: 9.0
page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_adding_pingauth_access_control_rules
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_adding_pingauth_access_control_rules.html
revdate: January 26, 2026
section_ids:
  before-you-begin: Before you begin
  steps: Steps
---

# Adding PingAuthorize access control rules

Add an access control rule to contact PingAuthorize or PingOne Authorize for access information. An access control rule can grant or deny access and can modify the request, based on the response from the PingAuthorize request application programming interface (API) *(tooltip: \<div class="paragraph">
\<p>A specification of interactions available for building software to access an application or service.\</p>
\</div>)*.

|   |                                                                                                                                                                                                                                                                               |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | The PingAuthorize sideband API cannot accept gzipped data from upstream server responses. Ensure that upstream server requests add or replace the `Accept-Encoding` header with `Accept-Encoding: identity` to prevent the upstream server from sending compressed responses. |

PingAuthorize access control rules are available for gateway, sideband, and agent deployments.

|   |                                                                                                                                                                                                                                                               |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | In agent deployments, PingAuthorize access control rules have the following limitations:- Agents cannot provide the request body to PingAuthorize.

- Agent caching is disabled for resources or applications that use the PingAuthorize access control rule. |

## Before you begin

Create a third-party service with PingAuthorize configured as the target. Learn more in [Adding third-party services](pa_third_party_services.html#adding-third-party-services).

## Steps

1. In the PingAccess admin console, click **Access** and go to **Rules > Rules**.

2. Click **[icon: plus, set=fa]Add Rule**.

3. In the **Name** field, enter a unique name of up to 64 characters.

   Special characters and spaces are allowed.

4. In the **Type** list, select **PingAuthorize Access Control**.

5. In the **Third Party Service** list, select your PingAuthorize service.

6. In the **Shared Secret** field, enter the shared secret from PingAuthorize.

7. (Optional) To include access token data in the request to PingAuthorize, select the **Include Identity Attributes** checkbox.

   This option is selected by default.

   |   |                                                                                                                    |
   | - | ------------------------------------------------------------------------------------------------------------------ |
   |   | If you're using PingOne Authorize, this checkbox must be selected. PingOne Authorize requires identity attributes. |

8. (Optional) To include the HTTP request body in the HTTP request data sent to PingAuthorize, select the **Include Request Body** checkbox.

   If PingAuthorize needs the request body for an access decision, make sure that this checkbox is selected. Otherwise, clearing the checkbox could improve performance.

   This option is selected by default.

9. To prevent PingAccess from removing extra backslashes or quotation marks used as escape characters, select the **Unescape Request Body** checkbox.

   Learn more in the [PingAccess 9.0.1 release notes](../release_notes/pa_release_notes.html#pa-901).

10. (Optional) To configure advanced options, click **Show Advanced**:

    1. (Optional) In the **Sideband Endpoint** field, enter the sideband API endpoint location.

    2. (Optional) In the **Shared secret header name** field, enter a header in which to send the shared secret.

    3. (Optional) In the **Additional Request Headers** section, enter a **Header Name** and **Header Value** for any additional headers that you want to include in the request to PingAuthorize. Click **[icon: plus, set=fa]Add Row** to add other headers as necessary.

       PingAuthorize can use the additional headers to determine the policy set that's most relevant to the request context.

       If an additional header that you configured appears in a user request, PingAccess replaces the original request header and its corresponding values with the **Header Value** that you configured. If you leave the **Header Value** field blank, PingAccess removes this header from the request to PingAuthorize.

       If the **Header Value** contains the substrings `"${APPLICATION_NAME}"` or `"${RESOURCE_NAME}"`, PingAccess replaces those strings with the name of the requested application or resource as defined in PingAccess.

11. Click **Save**.