If you want to control data access at the user level, configure PingAuthorize Server to use a user store so you can obtain attributes about the user who is invoking APIs, or the user about whom a service is invoking APIs, to evaluate the attributes as part of policy.
Although PingAuthorize Server assumes that PingDirectory Server is the default user store, other LDAPv3-compliant directories are also supported.
You can configure a user store using the prepare-external-store and create-initial-config commands.
prepare-external-store
When using PingDirectory Server as the user store, first prepare the server by running prepare-external-store. This tool completes the following tasks:
- Creates the PingAuthorize Server user account on your instance of PingDirectory Server
- Sets the correct password
- Configures the account with the required privileges
- Installs the schema that PingAuthorize Server requires
create-initial-config
The create-initial-config command configures connectivity between PingAuthorize Server and the user store. It also creates a System for Cross-domain Identity Management (SCIM) resource type through which PingAuthorize Server obtains the user attributes.
The optional create-initial-config command is recommended for first-time installers. If you do not use create-initial-config, you can configure the following objects:
- Store adapter
- SCIM resource type
- SCIM schema (optional)
If you do not configure these objects, you do not get the user's profile (the requester's attributes). For more information, see Make a user's profile available in policies.
For more information about configuring SCIM, see About the SCIM service.
Example
For an example, see Configuring the PingAuthorize user store.