--- title: User store configuration description: If you want to control data access at the user level, configure PingAuthorize Server to use a user store so you can obtain attributes about the user who is invoking APIs, or the user about whom a service is invoking APIs, to evaluate the attributes as part of policy. component: pingauthorize version: 11.0 page_id: pingauthorize:pingauthorize_server_administration_guide:paz_config_user_store canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_server_administration_guide/paz_config_user_store.html revdate: July 29, 2022 section_ids: prepare-external-store: prepare-external-store create-initial-config: create-initial-config example: Example --- # User store configuration If you want to control data access at the user level, configure PingAuthorize Server to use a user store so you can obtain attributes about the user who is invoking APIs, or the user about whom a service is invoking APIs, to evaluate the attributes as part of policy. Although PingAuthorize Server assumes that PingDirectory Server is the default user store, other LDAPv3-compliant directories are also supported. You can configure a user store using the `prepare-external-store` and `create-initial-config` commands. ## prepare-external-store When using PingDirectory Server as the user store, first prepare the server by running `prepare-external-store`. This tool completes the following tasks: * Creates the PingAuthorize Server user account on your instance of PingDirectory Server * Sets the correct password * Configures the account with the required privileges * Installs the schema that PingAuthorize Server requires ## create-initial-config The `create-initial-config` command configures connectivity between PingAuthorize Server and the user store. It also creates a System for Cross-domain Identity Management (SCIM) resource type through which PingAuthorize Server obtains the user attributes. The optional `create-initial-config` command is recommended for first-time installers. If you do not use `create-initial-config`, you can configure the following objects: * Store adapter * SCIM resource type * SCIM schema (optional) | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you do not configure these objects, you do not get the user's profile (the requester's attributes). For more information, see [User profile availability in policies](paz_user_profile_avail_policies.html). | For more information about configuring SCIM, see [About the SCIM service](paz_about_scim_service.html). ## Example For an example, see [Configuring the PingAuthorize user store](paz_config_paz_user_store.html).