The first policy defines the access token scopes that PingAuthorize Server accepts for SCIM requests.
The following table defines these scopes.
Scope | Allowed actions | Applies to |
---|---|---|
scimAdmin | search, retrieve, create/modify, delete | Any data |
retrieve | Requester's email attributes | |
profile | retrieve | Requester's profile attributes |
To create the policy and add rules to define the scopes, perform the following steps:
- Sign on to the PingAuthorize Policy Editor using the URL and credentials from Accessing the GUIs.
- Click Policies.
- Expand Global Decision Point, SCIM Policy Set, and Token Policies.
- Highlight Scope Policies.
- Next to Advice and Obligations, click +.
- Click Components.
- From the Advice list, drag Insufficient Scope to the area immediately following Advice and Obligations. A box appears for you to drop the item into.
- Click Save changes.
- Click Policies to the left of Components.
- Highlight Scope Policies.
- From the + menu, select Add Policy.
- For the name, replace Untitled with Permitted Scopes.
- Change the combining algorithm to A single deny will override any permit decisions.
- Click Save changes.