---
title: Configuring attribute access control
description: You can configure individual scopes, such as p1:read:user, or sub-scopes, such as p1:read:user:emailonly.
component: pingone
page_id: pingone:applications:p1_configure_attribute_access_control
canonical_url: https://docs.pingidentity.com/pingone/applications/p1_configure_attribute_access_control.html
revdate: January 10, 2025
section_ids:
  about-this-task: About this task
  steps: Steps
  related-links: Related links
---

# Configuring attribute access control

You can configure individual scopes, such as `p1:read:user`, or sub-scopes, such as `p1:read:user:emailonly`.

## About this task

You should configure access control scopes to include specific attributes explicitly, rather than using the default settings that allow all attributes, even new ones, to be read and updated. You can do this by creating sub-scopes for attributes that you want to allow, and assigning individual attributes to that scope.

## Steps

1. Go to **Applications > Resources**.

2. Click the **PingOne API** entry to open the details panel.

3. Click the **Scopes** tab.

4. Locate an existing scope to edit and then click the pencil icon.

5. Select the attributes that the end user will be able to access.

   To add a sub-scope, click **[icon: plus, set=fa]Add scope** under the appropriate scope name and enter the scope suffix, such as `emailonly`, for the scope name, and then select the attributes that the end user will be able to access.

6. Click **Save**.

## Related links

* [Attribute access control](p1_attribute_access_control.html)