---
title: Managing Authorize gateway roles
description: Authorize gateways require specific permissions to interact with PingOne services.
component: pingone
page_id: pingone:integrations:p1_manage_authz_gateway_roles
canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_manage_authz_gateway_roles.html
section_ids:
  authorize-gateway-policy-evaluator-role: Authorize Gateway Policy Evaluator role
  custom-gateway-roles: Custom gateway roles
  assigning-roles-to-gateways: Assigning roles to gateways
  before-you-begin: Before you begin
  steps: Steps
---

# Managing Authorize gateway roles

Authorize gateways require specific permissions to interact with PingOne services.

## Authorize Gateway Policy Evaluator role

Authorize gateways automatically have the **Authorize Gateway Policy Evaluator** role. This role grants the minimum permissions required for the gateway to interact with PingOne, adhering to the principle of least privilege. These environment-level permissions include:

* **Read Authorize Gateway Deployment**: Allows reading the deployment configuration for authorization policy versions and minimum supported gateway instance versions.

* **Read Gateway**: Allows reading gateway configuration details.

These permissions let the gateway download authorization policy versions and check for gateway version compatibility.

If you accidentally remove the **Authorize Gateway Policy Evaluator** role from a gateway, disable and then re-enable the gateway to restore this role.

|   |                                                                                                                                                                                                                                                                                                 |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Older gateways might have the **Environment Admin** role. When you update an older gateway, the **Authorize Gateway Policy Evaluator** role is assigned automatically. You can then remove the **Environment Admin** role, ensuring the gateway operates with the principle of least privilege. |

## Custom gateway roles

You can assign any built-in or custom [administrator roles](../directory/p1_roles.html) to Authorize gateways, provided you have the necessary permissions to assign them.

When your authorization policies include PingOne user details, group membership checks, or risk scores from the PingOne Protect Connector, the Authorize gateway requires additional permissions for policy evaluation. You can add a custom role with these permissions and assign it to the Authorize gateway.

|   |                                                                                                                                                                                                            |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | To adhere to the principle of least privilege, create a custom role using the default **Authorize Gateway Policy Evaluator** role as a source of initial permissions, and add extra permissions as needed. |

PingOne-related policy features require the following permissions:

| Policy feature                                                         | Permission                                |
| ---------------------------------------------------------------------- | ----------------------------------------- |
| **PingOne User** resolver                                              | **Directory > Read User**                 |
| **Is Member Of** and **Is Not Member Of** group membership comparators | **Directory > Read Group Membership**     |
| **Create Risk Evaluation** Connector service capability                | **Threat Protection > Create Evaluation** |
| **Update Risk Evaluation** Connector service capability                | **Threat Protection > Update Evaluation** |

## Assigning roles to gateways

Assign and unassign roles to ensure your Authorize gateways have the necessary permissions to evaluate authorization policies.

### Before you begin

* [Set up an Authorize gateway](p1_set_up_authz_gateway.html).

* Create any custom roles you want to assign to a gateway. Learn more in [Adding a custom administrator role](../directory/p1_custom_role_add.html).

### Steps

1. In the PingOne admin console, go to **Integrations > Gateways** and click the Authorize gateway you want to work with.

2. On the **Roles** tab, click **Grant Roles**.

3. On the **Available Responsibilities** tab, click the relevant role.

4. To assign the role to the gateway, select the checkboxes next to applicable environments.

5. To remove a role assignment from the gateway, clear the checkboxes next to applicable environments.

   |   |                                                                                                                                                                                     |
   | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | Assigning roles to gateways is similar to assigning roles to users. Learn more about assigning and removing roles in [Managing user roles](../directory/p1_manage_user_roles.html). |

6. Click **Save**.