The first policy defines the access token scopes that PingAuthorize Server accepts for SCIM requests.
The following table defines these scopes.
| Scope | Allowed actions | Applies to |
|---|---|---|
| scimAdmin | search, retrieve, create/modify, delete | Any data |
| retrieve | Requester's email attributes | |
| profile | retrieve | Requester's profile attributes |
To create the policy and add rules to define the scopes, perform the following steps:
- Sign on to the PingAuthorize Policy Editor using the URL and credentials from Accessing the GUIs.
- Click Policies.
- Expand Global Decision Point, SCIM Policy Set, and Token Policies.
- Select Scope Policies.
- Next to Statements, click +.
- Click Components.
- From the Statements list, drag Insufficient Scope to the area immediately following the Statements section. A box appears for you to drop the item into.
- Click Save changes.
- Click Policies to the left of Components.
- Select Scope Policies.
- From the + menu, select Add Policy.
- For the name, replace Untitled with Permitted Scopes.
- Change the combining algorithm to A single deny will override any permit decisions.
- Click Save changes.