---
title: User profile availability in policies
description: In a policy, you might need to make a decision based on something about the requesting identity, meaning the access token subject or token owner. PingAuthorize can automatically look up the token owner's attributes and provide them in the policy request using a token resource lookup method.
component: pingauthorize
version: 11.0
page_id: pingauthorize:pingauthorize_server_administration_guide:paz_user_profile_avail_policies
canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_server_administration_guide/paz_user_profile_avail_policies.html
revdate: February 13, 2025
section_ids:
  token-resource-lookup-methods: Token resource lookup methods
  user-profile-data-from-access-tokens: User profile data from access tokens
---

# User profile availability in policies

In a policy, you might need to make a decision based on something about the requesting identity, meaning the access token subject or token owner. PingAuthorize can automatically look up the token owner's attributes and provide them in the policy request using a token resource lookup method.

## Token resource lookup methods

PingAuthorize provides built-in support for retrieving token owner data using [SCIM token resource lookup methods](paz_token_resource_lookup.html#SCIM_token_resource_lookup). Using a SCIM token resource lookup method requires a SCIM resource type to be configured, along with that resource type's prerequisite configuration objects. Learn more about SCIM configuration, such as SCIM resource types, store adapters, load-balancing algorithms, and LDAP external servers, in [SCIM configuration basics](paz_scim_config_basics.html).

You can find examples that show how to set up a token resource lookup method in:

* [Configuring the PingAuthorize OAuth subject search](paz_config_oauth_subj_search.html)

* [Sideband access token validation](paz_sideband_access_token_valid.html)

* [SCIM token resource lookup methods](paz_token_resource_lookup.html#SCIM_token_resource_lookup)

## User profile data from access tokens

When processing an incoming HTTP request, the PingAuthorize Server invokes any applicable access token validators to parse the request's access token. If an access token validator successfully validates the access token, the token validator then invokes any related token resource lookup methods. If a token resource lookup method succeeds in retrieving the attributes for the token owner, then the PingAuthorize Server includes a `TokenOwner` attribute with the policy request. The contents of the `TokenOwner` attribute are a JSON object containing the user profile.

The exact structure of the `TokenOwner` attribute varies from deployment to deployment. When using a SCIM token resource lookup method, the contents of the `TokenOwner` attribute are a SCIM resource using the schema of the SCIM resource type configured for the token resource lookup method, exactly as if the resource had been retrieved using an HTTP GET operation without policy restrictions.

For example, for a `pass-through` SCIM resource type for the LDAP `inetOrgPerson` object class, a `TokenOwner` value might look like the following:

```json
{
    "cn": [
        "Mark E. Smith"
    ],
    "employeeNumber": "1",
    "entryDN": "uid=mark.e.smith,ou=people,dc=example,dc=com",
    "entryUUID": "8ac3d8b5-4f17-33fa-a4b4-854599ed9a89",
    "givenName": [
        "Mark"
    ],
    "id": "8ac3d8b5-4f17-33fa-a4b4-854599ed9a89",
    "initials": [
        "MES"
    ],
    "l": [
        "Manchester"
    ],
    "mail": [
        "mark.e.smith@example.com"
    ],
    "meta": {
        "location": "https://example.com/scim/v2/Users/8ac3d8b5-4f17-33fa-a4b4-854599ed9a89",
"resourceType": "Users"
    },
    "mobile": [
        "+44 161 872 37676"
    ],
    "modifyTimestamp": "2020-06-03T03:56:54.168Z",
    "objectClass": [
        "top",
        "person",
        "organizationalPerson",
        "inetOrgPerson"
    ],
    "schemas": [
        "urn:pingidentity:schemas:store:2.0:UserStoreAdapter"
    ],
    "sn": [
        "Smith"
    ],
    "uid": [
        "mark.e.smith"
    ]
}
```

The default Trust Framework includes a `TokenOwner` attribute as an empty JSON object. If you need to use a user profile attribute from a policy, add that attribute as a child of `TokenOwner` in the Trust Framework.

For example, the SCIM user profile shown above uses the `mail` attribute to store a user's email addresses. To make policy decisions using the token owner's email address, you can add an `Emails` attribute under `TokenOwner` in the PingAuthorize Policy Editor:

![Screen capture of the Definitions tab in the Trust Framework, with the Emails attribute selected. The Emails attribute shows TokenOwner as its parent, with an attribute resolver of TokenOwner, a JSON Path processor of type Collection for the mail attribute, and a Default value (enabled) of empty square brackets of Type Collection](_images/phr1592229117175.png)