PingOne Privilege

Managing policies

This system offers two methods for granting resource access: manual approvals through a self-service portal and automated assignments based on policies.

Policies automatically grant permissions to users or groups based on predefined criteria. They’re ideal for managing time-based access for projects with fixed durations.

Creating an access policy for targets

To create a policy that grants access to a specific target, such as a server or database:

  1. In the PingOne Privilege admin console, click Targets.

  2. Locate the target you want to grant access to and click More Info.

  3. On the target details page, click Create Policy.

  4. Click Continue.

  5. Select the users or groups who’ll be granted access through this policy. Click Continue.

  6. Enter a Policy Name and define the policy’s active period by setting a Start Date, Start Time, End Date, and Hours.

  7. Click Submit to save and activate the policy.

Creating an access policy for cloud resources

To create an access policy for a cloud resource:

  1. In the PingOne Privilege admin console, go to Access Management > Resources.

  2. In the Resource Catalog, find the resource you want to create a policy for. Click Policy.

  3. In the list, select one or more identity and access management (IAM) roles to include in the policy. Click the icon to add them to the queue. When you’ve selected all the roles to include, click Add To Request Queue.

  4. When you’ve added all necessary resources, click Continue.

  5. Enter a Policy Name and define the policy’s active period by setting a Start Date, Start Time, End Date, and Hours.

  6. Click Submit to save and activate the policy.

Creating an access policy for workloads

A workload policy defines the specific access rights for a workload identity. Each policy specifies the cloud resources a workload can access, the IAM roles granted, and the time during which the permissions will be valid.

Follow these steps to create a policy that grants a workload access to resources within a specific cloud account:

  1. In the PingOne Privilege admin console, go to Access Management > Workloads and click the name of the workload identity for which you want to create a policy.

  2. In the Workload Information view, find the target cloud account and click the icon.

  3. In the Resource Catalog, find the resource you want to create a policy for. Click Policy.

  4. In the list, select one or more identity and access management (IAM) roles to include in the policy. Click the icon to add them to the queue. When you’ve selected all the roles to include, click Add To Request Queue.

  5. When you’ve added all necessary resources, click Continue.

  6. Enter a Policy Name and define the policy’s active period by setting a Start Date, Start Time, End Date, and Hours.

  7. Click Submit to save and activate the policy.

If a workload is associated with multiple cloud accounts, you must create a separate policy for each account.

Extending an access policy

To extend an active policy:

  1. In the PingOne Privilege admin console, go to Policies.

  2. Locate the policy you want to extend and click More Info to open the policy details page.

  3. Click on Edit > Extend Expiry.

  4. In the Extend Policy Expiry modal, update the End Time and click Save.

    The policy is updated.

Deleting an access policy

To delete a policy:

  1. In the PingOne Privilege admin console, go to Policies.

  2. Locate the policy you want to delete and click More Info to open the policy details page.

  3. Click Delete Policy.

  4. In the confirmation modal, click Delete.

    The policy is immediately deleted.