PingDirectory

Authorization

The Consent Service’s distinction between privileged and unprivileged requesters determines the type of operations that can be performed by requesters.

During the authorization phase, the Consent servlet performs checks on both the bearer token claims, if present, and the auth DN to determine if the requester is privileged or unprivileged. These are summarized in the following table.

Available operations per requester type
Requester type Description Access determined by Can create consent records Can update consent records Can delete consent records

Unprivileged

Requesters with no authority to operate on consent records other than their own.

A requester is considered unprivileged if it does not meet any of the criteria for a privileged requester.

If using bearer token authentication, the access token must include a scope named by the unprivileged-consent-scope property of the Consent Service configuration. Also, an unprivileged requester can only perform actions on consent records where the subject distinguished name (DN) matches the requester DN.

Yes.

The subject/subjectDN and actor/actorDN values will be set based on the requester.

Yes, if the requester DN matches the subject DN.

No

Privileged

A requester with the authority to perform any operation on any consent record.

When using basic authentication, a requester is considered privileged if the requester DN either has the bypass-acl privilege or is listed in the service-account-dn property of the Consent Service configuration.

If using bearer token authentication, the access token must include a scope named by the privileged-consent-scope property of the Consent Service configuration.

Yes

Yes

Yes

Bearer token check

If a bearer token was used, the following checks are performed:

  • If the Consent Service’s audience property is configured, the bearer token’s audience claim must match the configured value.

  • If the bearer token contains a scope matching the Consent Service’s privileged-scope-name property, then the requester is considered privileged.

  • If the bearer token doesn’t contain a scope matching the Consent Service’s privileged-scope-name property, the bearer token must have a scope matching the Consent Service’s unprivileged-scope-name property, and the requester is considered unprivileged.

Basic authentication check

If basic authentication is used, the following checks are performed:

  • If the auth DN has the Lightweight Directory Access Protocol (LDAP) privilege bypass-acl, the requester is privileged.

  • If the auth DN is listed in the Consent Service’s service-account-dn property, the requester is privileged.

  • If the auth DN isn’t listed in the Consent Service’s service-account-dn property, the requester is considered unprivileged.