Configure access to the administrative API
Similar to the administrative console, access to the administrative API after initial setup can be protected by several authentication and authorization schemes.
Access to the administrative API after initial setup is protected by one of the following authentication and authorization schemes:
For new installations, native authentication is the default.
For upgrades, if the authentication or authorization method of the administrative API wasn’t previously set, such as when upgrading from PingFederate 7.3 or an earlier version, the Upgrade Utility sets the value to that of the administrative console. Otherwise, it preserves the previously set value, such as when upgrading from PingFederate 8.0 to a later release.
You can change the authentication or authorization method for the administrative API to any of the methods, regardless of which authentication or authorization method you choose for the administrative console.
In addition to authentication and authorization, PingFederate provides role-based access control, as described in the following table. The roles assigned to the accounts affect the results of the API calls.
| Account type | Administrative role | Access privileges | ||
|---|---|---|---|---|
Admin |
User Admin |
Create users, deactivate users, change or reset passwords, and install replacement license keys. |
||
Admin |
Admin |
Configure partner connections and most system settings, except the management of local accounts and the handling of local keys and certificates. |
||
Admin |
Expression Admin |
Map user attributes by using the expression language, Object-Graph Navigation Language (OGNL).
|
||
Admin |
Crypto Admin |
Manage local keys and certificates. |
||
Auditor |
Not applicable |
View-only permissions for all administrative functions. When the Auditor role is assigned, no other administrative roles can be set. |
|
All four administrative roles are required to access and make changes through the following services:
|