---
description: This example sets up the PingAuthorize Policy Editor with self-governance and OIDC authentication.
component: pingauthorize
version: 10.1
page_id: pingauthorize:installing_and_uninstalling_pingauthorize:paz_setup_pe_oidc_self_gov
canonical_url: https://docs.pingidentity.com/pingauthorize/10.1/installing_and_uninstalling_pingauthorize/paz_setup_pe_oidc_self_gov.html
section_ids:
  example-set-up-the-pingauthorize-policy-editor-in-oidc-mode-self-governance: "Example: Set up the PingAuthorize Policy Editor in OIDC mode (self-governance)"
---

# Example: Set up the PingAuthorize Policy Editor in OIDC mode (self-governance)

This example sets up the PingAuthorize Policy Editor with self-governance and OIDC authentication.

For more information about configuring OIDC authentication, see the **OIDC mode (generic)** tab on this page.

|   |                                                                             |
| - | --------------------------------------------------------------------------- |
|   | Self-governance is not supported in clustered Policy Editor configurations. |

To enable self-governance with OIDC authentication, use the following arguments:

* `--enableSelfGovernance` (required)

  Turns on the self-governance functionality.

* `--selfGovernanceSystemUser` (required)

  Sets the self-governance administrator username for OIDC authentication.

* `--apiHttpCacheTtl` (optional)

  Sets the time-to-live value (in seconds) for the [HTTP cache](../pingauthorize_server_administration_guide/paz_http_caching.html), after which the cache is refreshed and a new self-governance check is performed. This value must be 1 or greater.

|   |                                                                                              |
| - | -------------------------------------------------------------------------------------------- |
|   | If you don't specify a value, the Policy Editor uses the default time-to-live of 60 seconds. |

The following example sets up the Policy Editor to use PingOne for OIDC authentication, enables self-governance, and specifies an OIDC username for the self-governance administrator:

```shell
$ bin/setup oidc \
--hostname localhost \
--port 9443 \
--adminPort  <admin-port>  \
--oidcBaseUrl https://auth.pingone.com/<my-environment-id>/as \
--clientId  <my-client-id>  \
--generateSelfSignedCertificate \
--enableSelfGovernance \
--selfGovernanceSystemUsername  <oidc-authenticated-user>
```