PingOne

Adding application permissions

Define application permissions for the application resources that you want to protect.

Before you begin

Add a custom resource for your protected endpoints.

About this task

Application resources are features that users want to access, such as checking and savings accounts, an investment services add-on, or an invoicing module in a business application.

PingOne platform resources, such as identities and PingOne APIs, are protected by PingOne platform roles and permissions. Application resources protect access to resources that are developed by your organization’s engineering teams.

An application permission is the combination of an action and a resource. Think of permissions as actions that can be taken on a resource. Configure application permissions by assigning actions to application resources.

You can add up to 128 application resources and 128 application permissions in each PingOne environment.

For example, consider a business application called BizPro that has invoicing capabilities. Endpoints for the associated invoicing API allow the following actions on the invoices resource:

  • Read invoices: GET /bizpro/invoices

  • Create an invoice: POST /bizpro/invoices

  • Update an invoice: PUT /bizpro/invoices/\{{invoiceId}}

  • Pay an invoice: POST /bizpro/invoices/\{{invoiceId}}/pay

  • Void an invoice: POST /bizpro/invoices/\{{invoiceId}}/void

To control access to invoices, you create corresponding application permissions:

  • Invoices:Read

  • Invoices:Write

  • Invoices:Update

  • Invoices:Pay

  • Invoices:Void

Application roles simplify managing these permissions. For example, David, an invoicing processor, might have permissions to create and pay invoices, while Melissa, the billing supervisor, can view and void invoices. Learn more in Adding an application role.

Steps

  1. Go to Applications → Resources and browse or search for the custom resource for your protected endpoints.

  2. Click the custom resource to open the details pane, then click the Permissions tab.

  3. Optional: To include user permissions in access tokens created for this custom resource, click the Include user permissions in Access Token toggle.

    Permissions for the authenticated user are included in the p1.permissions claim in the access token.

    If your organization requires a large number of permissions, consider using permissions-based rules for permissions enforcement. Learn more in Application permissions.

    Screen capture showing the Include user permissions in access token toggle and the + Add Permissions button on the Permissions tab.
  4. Click Add Permissions.

  5. To create an application resource, enter a unique Name and an optional Description. Click Next.

    Screen capture showing the Name and Description fields in the Create Application Resource window.

    The name can include Unicode letters, marks, numbers, spaces, forward slashes, dots, apostrophes, underscores, and hyphens, with a maximum length of 20 characters.

  6. Configure permissions for the application resource:

    1. Click Add to add an Action that you want to protect with a permission.

      The action can include Unicode letters, with a maximum length of 20 characters.

    2. Optional: Enter a Description for the action.

      Screen capture showing the Application Resource, Action, and Description columns in the Configure Permission window.
    3. To add more actions, click Add.

  7. Click Save.

Next steps

Assign permissions to roles.