Application access control

Use application access control to define access to applications through roles and groups.

For each application, specify the conditions that must be met by an authenticating user to access an application. You can use application access control with all types of applications.

You can define application permissions to control access to custom-developed application features after users authenticate. Learn more in Application permissions.

Role type

Specifies that a user with an administrator role is required to access the application. The user must have one of the following roles:

Organization Admin
Environment Admin
Identity Data Admin
Client Application Developer

For more information, see Administrator Roles. If no option is selected, an administrator role is not required to access the application.

Group type

Specifies that a user must be a member of a particular group or groups to access the application. If you have two or more groups, you can specify how group access is applied:

Any: The user must be a member of at least one of the specified groups.
All: The user must be a member of all specified groups.

If no option is selected, group membership is not required to access the application. If an existing group is removed from the environment, then any members of the group might no longer have access to the application, depending on their other group memberships and how group evaluation is configured.

Application portal

Determines whether an application icon appears in the application portal if the user would see the application in the application portal based on the group membership policy.

For example, you could use this option if the SSO flow is being triggered through means other than on the application portal or because you are creating multiple application deep links (see resource links) that will be shown in the application portal rather than the actual application. For more information, see PingOne application portal.

Configuring application access control

About this task

Use application access control to define access to applications through roles and groups. For each application, specify the conditions that must be met by an authenticating user to access an application. You can use application access control with all types of applications.

Steps

Go to Applications → Applications.
Locate the application you want to configure. You can browse or search for applications.
Click the application entry to open the details panel for the application.
Click the Access tab and then click the pencil icon.
For Admin Only Access, to specify whether an administrator role is required to access the application, select the Must have admin role check box.

Available roles are:
- Organization Admin
- Environment Admin
- Identity Data Admin
- Client Application Developer
For more information, see Administrator Roles.

For Group membership policy, specify the groups that can access the application by searching or browsing for the group.

The list is updated as you enter the search criteria. Do one or more of the following:

Option	Description
Add a group to the access list	Drag the group name from the All groups list to the Applied groups list. You can also click the icon to add a group.
Remove a group from the access list	Drag the group name from the Applied groups list to the All groups list. You can also click the - icon to remove a group.
Require any group membership	If you apply two or more groups, select Any to require the user to be a member of any of the applied groups to access the application.
Require all group membership	If you apply two or more groups, select All to require the user to be a member of all of the applied groups to access the application.

Option

Description

Add a group to the access list

Drag the group name from the All groups list to the Applied groups list.

You can also click the icon to add a group.

Remove a group from the access list

Drag the group name from the Applied groups list to the All groups list.

You can also click the - icon to remove a group.

Require any group membership

If you apply two or more groups, select Any to require the user to be a member of any of the applied groups to access the application.

Require all group membership

If you apply two or more groups, select All to require the user to be a member of all of the applied groups to access the application.

If you remove an existing group from the environment, then any members of the group lose access to the configured application.

Click Save.

Auditing access events

You can use the Audit page to see a summary of user access events related to application access control.

Steps

Go to Monitoring → Audit.
For Time range, select the desired time span.
For Filter type, select Event type.
For Filter, select one of the following:
- User access allowed: The user accessed the resource successfully.
- User access denied: The user was denied access to the resource.
Click Run.

Next steps

In the Results list, see the Description column for specific events.
In the Details column, click View to see more detailed information about the event.