If you want to control data access at the user level, configure PingAuthorize Server to use a user store so you can obtain attributes about the user who is invoking APIs, or the user about whom a service is invoking APIs, to evaluate the attributes as part of policy.
Although PingAuthorize Server assumes that PingDirectory Server is the default user store, other LDAPv3-compliant directories are also supported.
You can configure a user store using the prepare-external-store and create-initial-config commands.
When using PingDirectory Server as the user store, first prepare the server by running prepare-external-store. This tool completes the following tasks:
- Creates the PingAuthorize Server user account on your instance of PingDirectory Server
- Sets the correct password
- Configures the account with the required privileges
- Installs the schema that PingAuthorize Server requires
The create-initial-config command configures connectivity between PingAuthorize Server and the user store. It also creates a System for Cross-domain Identity Management (SCIM) resource type through which PingAuthorize Server obtains the user attributes.
The optional create-initial-config command is recommended for first-time installers. If you do not use create-initial-config, you can configure the following objects:
- Store adapter
- SCIM resource type
- SCIM schema (optional)
If you do not configure these objects, you do not get the user's profile (the requester's attributes). For more information, see User profile availability in policies.
For more information about configuring SCIM, see About the SCIM service.
For an example, see Configuring the PingAuthorize user store.