PingOne

Application access control

Use application access control to define access to applications through roles and groups.

For each application, specify the conditions that must be met by an authenticating user to access an application. You can use application access control with all types of applications.

You can define application permissions to control access to custom-developed application features after users authenticate. Learn more in Application permissions.
Role type

Specifies that a user with an administrator role is required to access the application. The user must have one of the following roles:

  • Organization Admin

  • Environment Admin

  • Identity Data Admin

  • Client Application Developer

Learn more in Administrator Roles. If no option is selected, an administrator role is not required to access the application.

Group type

Specifies that a user must be a member of a particular group or groups to access the application. If you have two or more groups, you can specify how group access is applied:

  • Any: The user must be a member of at least one of the specified groups.

  • All: The user must be a member of all specified groups.

If no option is selected, group membership is not required to access the application. If an existing group is removed from the environment, then any members of the group might no longer have access to the application, depending on their other group memberships and how group evaluation is configured.

Application portal

Determines whether an application icon appears in the application portal if the user would see the application in the application portal based on the group membership policy.

For example, you could use this option if the SSO flow is being triggered through means other than on the application portal or because you are creating multiple application deep links that will be shown in the application portal rather than the actual application. Learn more in Application portal.

Configuring application access control

Use application access control to define access to applications through roles and groups. For each application, specify the conditions that must be met by an authenticating user to access an application. You can use application access control with all types of applications.

Steps

  1. In the PingOne admin console, go to Applications > Applications and browse or search for the application you want to configure.

  2. Click the application entry to open the details panel for the application.

  3. On the Access tab, click the Pencil icon.

  4. For Admin Only Access, to specify whether an administrator role is required to access the application, select the Must have admin role checkbox.

    Available roles are:

    • Organization Admin

    • Environment Admin

    • Identity Data Admin

    • Client Application Developer

      Learn more in Administrator Roles.

  5. For Group Membership Policy, specify the groups that can access the application by searching or browsing for the group.

    The list is updated as you enter the search criteria. Do one or more of the following:

    Option Description

    Add a group to the access list

    On the Groups tab, select the checkbox for a group name to add it to the Applied Groups list.

    Remove a group from the access list

    On the Applied Groups tab, clear the checkbox for the group name you want to remove.

    Require any group membership

    If you apply two or more groups, select User is a member of any applied group to require the user to be a member of any of the applied groups to access the application.

    Require all group membership

    If you apply two or more groups, select User must be a member of all applied groups to require the user to be a member of all applied groups to access the application.

    If you remove an existing group from the environment, then any members of the group lose access to the configured application.

  6. Click Save.

Auditing access events

You can use the Audit page to see a summary of user access events related to application access control.

Steps

  1. In the PingOne admin console, go to Monitoring > Audit.

  2. For Time Range, select the desired time span.

  3. For Filter Type, select Event Type.

  4. For Filter, select one of the following:

    • User Access Allowed: The user accessed the resource successfully.

    • User Access Denied: The user was denied access to the resource.

  5. Click Run.

Next steps

  • In the Activities list, see the Description column for specific events.

  • In the Details column, click View to see more detailed information about the event.