---
title: Example configuration scenarios
description: Review the following client application scenarios to determine how to configure the Consent Service to meet your business needs.
component: pingdirectory
version: 11.0
page_id: pingdirectory:consent_solution_guide:pd_cs_config_scenarios
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/consent_solution_guide/pd_cs_config_scenarios.html
revdate: July 3, 2024
section_ids:
  directly-managed-consents: Directly managed consents
  indirectly-managed-consents-basic-authentication: Indirectly managed consents (basic authentication)
---

# Example configuration scenarios

Review the following client application scenarios to determine how to configure the Consent Service to meet your business needs.

## Directly managed consents

In this scenario, one or more client applications provide an interface for individuals to directly manage their own consent records. These applications can only manage consents for the currently authenticated user. In addition, there's a client application for consent administrators.

An OAuth 2 authorization server grants access tokens that the applications use to access the Consent API.

Configuration for this scenario includes:

1. Configure an OAuth 2 authorization server to issue a `urn:pingdirectory:consent` scope to individuals and a `urn:pingdirectory:consent_admin` scope to consent administrators.

2. Create an identity mapper to map subject identifiers used by the authorization server to Lightweight Directory Access Protocol (LDAP) *(tooltip: \<div class="paragraph">
   \<p>An open, cross platform protocol used for interacting with directory services.\</p>
   \</div>)* distinguished names (DNs) used by the PingDirectory server.

3. Configure an access token *(tooltip: \<div class="paragraph">
   \<p>A data object by which a client authenticates to a resource server and lays claim to authorizations for accessing particular resources.\</p>
   \</div>)* validator to validate tokens issued by the OAuth 2 authorization server.

4. Configure the Consent HTTP Servlet Extension to disable HTTP basic authentication and restart the HTTPS Connection Handler.

5. Configure the Consent Service to use the OAuth scopes and token validator.

## Indirectly managed consents (basic authentication)

In this scenario, an application uses a privileged service account to manage its users' consents. The application's privileged account can access any consent record, which gives the application the ability to perform operations that an individual user can't.

The following configuration steps describe the setup needed for the PingDirectory server's Open Banking Account Requests service to use the Consent Service as its backend.

Configuration for this scenario includes:

1. Create a service account for the application.

2. Configure the Consent HTTP Servlet Extension to enable HTTP basic authentication and restart the HTTPS Connection Handler.

3. Create an identity mapper to map the consent record subject and actor attribute values to LDAP DNs.

4. Configure the Consent Service to use the application's service account.

5. Configure the Consent Service to use the identity mapper.