---
title: Forwarding authorization identities in requests
description: By default, the PingDirectoryProxy server tries to ensure that requests it forwards to backend servers get processed with the correct user authorization. To do this, the server relies on a function controlled by the authorization-method property, located in the LDAP external server configuration for each of the backend server instances.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdirectoryproxy_server_administration_guide:pd_proxy_fwd_authz_entry_control
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectoryproxy_server_administration_guide/pd_proxy_fwd_authz_entry_control.html
section_ids:
  considering-proxied-authorization-scenarios: Considering proxied authorization scenarios
  using-the-forward-authorization-entry-control: Using the forward-authorization-entry-control
  steps: Steps
---

# Forwarding authorization identities in requests

By default, the PingDirectoryProxy server tries to ensure that requests it forwards to backend servers get processed with the correct user authorization. To do this, the server relies on a function controlled by the `authorization-method` property, located in the LDAP external server configuration for each of the backend server instances.

## Considering proxied authorization scenarios

In environments configured with a PingDirectoryProxy server in front of PingDirectory server instances, the `authorization-method` property is typically set to `intermediate-client-control`. This `authorization-method` value might not be the best option when clients need to authorize a request as a user whose account doesn't exist in the backend server, including the following scenarios:

* Entry-balanced configurations where a user whose account resides in one backend set might need to issue requests targeting entries in a different backend set

* Configurations that have multiple subtree views backed by different sets of backend servers for different parts of the DIT, where a user whose account resides in one part might need to issue requests targeting entries in a different part

However, the `intermediate-client-control` setting can still be appropriate for deployments where some users might need to issue requests that get processed by servers that don't contain their accounts. In these scenarios, there are a small number of roles that any user can assume, such as a regular end user, a password administrator, or a full server administrator. You can create surrogate accounts for each of those roles that reside in all the backend servers.

|   |                                                                                                                                                                                                                                        |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | To indicate that operations processed in servers that don't contain the requester's user entry should be authorized as the appropriate surrogate account, use the `ds-authz-map-to-dn` operational attribute, whether real or virtual. |

## Using the `forward-authorization-entry-control`

You can also use the `forward-authorization-entry-control`, which causes the PingDirectoryProxy server to forward a copy of the requester's entry to the backend server. The PingDirectoryProxy server uses that entry to authorize requests as that user in backend servers that don't already contain the entry.

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | You should prefer the `intermediate-client-control` for proxied authorization.Reserve the `forward-authorization-entry-control` for scenarios where it's common for users in one entry-balanced backend set to need access to entries in other backend sets—but whose entries can't be reasonably mapped to surrogate entries.You can only use the `forward-authorization-entry-control` in topologies where all servers are running version 10.3 or later. |

### Steps

For each PingDirectoryProxy server in the topology, make the following configuration change for every LDAP external server instance:

* Set the value of `authorization-method` to `forward-authorization-entry-control`.

  Example:

  ```
  $ bin/dsconfig set-external-server-prop \
    --server-name server.example.com:636 \
    --set authorization-method:forward-authorization-entry-control
  ```