---
title: Authentication and authorization with the Configuration API
description: This topic explains how to customize authentication and authorization access using the Configuration API.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_authn_auth_config_api
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_authn_auth_config_api.html
revdate: July 5, 2024
page_aliases: ["pingdatasync_server_administration_guide:pd_sync_authn_authr.adoc", "pingdirectoryproxy_server_administration_guide:pd_proxy_authn_auth_config_api.adoc"]
section_ids:
  authentication: Authentication
  authorization: Authorization
---

# Authentication and authorization with the Configuration API

This topic explains how to customize authentication and authorization access using the Configuration API.

## Authentication

Clients must use HTTP basic authentication to authenticate to the Configuration API. If the username value isn't a distinguished name (DN), then it resolves to a DN value using the identity mapper associated with the Configuration servlet. By default, the Configuration API uses an identity mapper that allows an entry's UID value to be used as a username. To customize this behavior, either customize the default identity mapper or specify a different identity mapper using the Configuration servlet's `identity-mapper` property. The following code provides an example:

```shell
$ bin/dsconfig set-http-servlet-extension-prop \
  --extension-name Configuration \
  --set "identity-mapper:Alternative Identity Mapper"
```

## Authorization

To access configuration information, users must have the appropriate privileges:

* To access the `cn=config` backend, users must have the `bypass-acl` privilege or be allowed access to the configuration using an ACI.

* To read configuration information, users must have the `config-read` privilege.

* To update the configuration, users must have the `config-write` privilege.