---
title: Authorization
description: The Consent Service's distinction between privileged and unprivileged requesters determines the type of operations that can be performed by requesters.
component: pingdirectory
version: 11.0
page_id: pingdirectory:consent_solution_guide:pd_cs_authorization
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/consent_solution_guide/pd_cs_authorization.html
revdate: September 13, 2023
section_ids:
  bearer-token-check: Bearer token check
  basic-authentication-check: Basic authentication check
---

# Authorization

The Consent Service's distinction between `privileged` and `unprivileged` requesters determines the type of operations that can be performed by requesters.

During the authorization phase, the Consent servlet performs checks on both the bearer token claims, if present, and the `auth DN` to determine if the requester is privileged or unprivileged. These are summarized in the following table.

**Available operations per requester type**

| Requester type | Description                                                                      | Access determined by                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | Can create consent records                                                             | Can update consent records                       | Can delete consent records |
| -------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | ------------------------------------------------ | -------------------------- |
| `Unprivileged` | Requesters with no authority to operate on consent records other than their own. | A requester is considered `unprivileged` if it does not meet any of the criteria for a `privileged` requester.If using bearer token authentication, the access token *(tooltip: \<div class="paragraph">&#xA;\<p>A data object by which a client authenticates to a resource server and lays claim to authorizations for accessing particular resources.\</p>&#xA;\</div>)* must include a scope named by the `unprivileged-consent-scope` property of the Consent Service configuration. Also, an unprivileged requester can only perform actions on consent records where the subject distinguished name (DN) matches the requester DN. | Yes.The subject/subjectDN and actor/actorDN values will be set based on the requester. | Yes, if the requester DN matches the subject DN. | No                         |
| `Privileged`   | A requester with the authority to perform any operation on any consent record.   | When using basic authentication, a requester is considered `privileged` if the requester DN either has the `bypass-acl` privilege or is listed in the `service-account-dn` property of the Consent Service configuration.If using bearer token authentication, the access token must include a scope named by the `privileged-consent-scope` property of the Consent Service configuration.                                                                                                                                                                                                                                               | Yes                                                                                    | Yes                                              | Yes                        |

## Bearer token check

If a bearer token was used, the following checks are performed:

* If the Consent Service's `audience` property is configured, the bearer token's audience claim must match the configured value.

* If the bearer token contains a scope matching the Consent Service's `privileged-scope-name` property, then the requester is considered privileged.

* If the bearer token doesn't contain a scope matching the Consent Service's `privileged-scope-name` property, the bearer token must have a scope matching the Consent Service's `unprivileged-scope-name` property, and the requester is considered unprivileged.

## Basic authentication check

If basic authentication is used, the following checks are performed:

* If the `auth DN` has the Lightweight Directory Access Protocol (LDAP) *(tooltip: \<div class="paragraph">
  \<p>An open, cross platform protocol used for interacting with directory services.\</p>
  \</div>)* privilege `bypass-acl`, the requester is `privileged`.

* If the `auth DN` is listed in the Consent Service's `service-account-dn` property, the requester is `privileged`.

* If the `auth DN` isn't listed in the Consent Service's `service-account-dn` property, the requester is considered `unprivileged`.