---
title: UMA actors
description: To allow UMA flows in your environment, you must first configure the UMA actors. You might already be familiar with some of these actors, such as the OAuth 2.0 provider, and the OAuth 2.0 clients.
component: pingam
version: 8.1
page_id: pingam:uma:uma-set-up-procedures
canonical_url: https://docs.pingidentity.com/pingam/8.1/uma/uma-set-up-procedures.html
keywords: ["User-Managed Access (UMA)", "Actors", "OAuth 2.0", "OpenID Connect (OIDC)", "Clients"]
page_aliases: ["uma-guide:uma-set-up-procedures.adoc"]
---

# UMA actors

To allow UMA flows in your environment, you must first configure the UMA actors. You might already be familiar with some of these actors, such as the OAuth 2.0 provider, and the OAuth 2.0 clients.

Although the *UMA provider* is one of the actors, this role in AM is divided between the OAuth2 provider service and the UMA provider service, as you will see next.

|   |                                                                                                                         |
| - | ----------------------------------------------------------------------------------------------------------------------- |
|   | To set up AM as an example UMA provider, resource server, and client, see the [UMA use case](uma-example.html) instead. |

* The OAuth 2.0/OpenID Connect provider

  As an extension of the OAuth 2.0 and OpenID Connect specifications, the AM authorization server is responsible for providing protection API access tokens (PATs), and requesting party access tokens (RPTs) and ID tokens for UMA clients.

  To configure the OAuth 2.0/OpenID Connect provider, see:

  * [Authorization server configuration](../am-oauth2/oauth2-configure-authz.html)

  * [OpenID provider configuration](../am-oidc1/configure-openid-connect-provider.html)

* UMA provider

  Configure the UMA provider by realm to expose UMA-related endpoints, and to configure UMA-related properties that are not exposed in the OAuth 2.0 provider.

  The service’s defaults are suitable for most situations and strike a good balance between security and ease of use.

  To configure the service, in the AM admin UI, go to Realms > *realm name* > Services, and add an UMA Provider service.

  For information about the available attributes, see [UMA Provider](../setup/services-configuration.html#global-uma).

* Resource server

  You need a server to let the end user register their resources and share them. The resource server can be an AM instance, a third-party service, or [PingGateway](https://docs.pingidentity.com/pinggateway/2025.11/gateway-guide/uma.html).

  Regardless of where the resource server is, it needs an *UMA client* that is registered in AM and configured as the UMA provider.

* UMA clients

  Configure OAuth 2.0 clients to work as a resource server agent, a requesting party, and a resource owner.

  Special scopes:

  * The `uma_protection` Scope.

    Clients requiring a protection API access token (PAT) must be configured with the `uma_protection` scope. This scope tells AM that the token is a PAT, and not a regular access token.

  * The `openid` Scope.

    Clients performing the UMA grant require the link:openid scope, since AM will provide the claims that UMA requires inside an ID token.

  For more information about registering clients, see [Client application registration](../am-oauth2/oauth2-register-client.html).