Configuring attribute access control
You can configure individual scopes, such as p1:read:user
, or sub-scopes, such as p1:read:user:emailonly
.
About this task
You should configure access control scopes to include specific attributes explicitly, rather than using the default settings that allow all attributes, even new ones, to be read and updated. You can do this by creating sub-scopes for attributes that you want to allow, and assigning individual attributes to that scope.
Steps
-
Go to Applications → Resources.
-
Click the PingOne API entry to open the details panel.
-
Click the Scopes tab.
-
Locate an existing scope to edit and then click the pencil icon.
-
Select the attributes that the end user will be able to access.
To add a sub-scope, click Add scope under the appropriate scope name and enter the scope suffix, such as
emailonly
, for the scope name, and then select the attributes that the end user will be able to access. -
Click Save.