Organizations worldwide are seeking ways to introduce new use cases and partnerships to accelerate their businesses. At the heart of any new use case or partnership is a question of entitlement. Can a given user perform this action or see some information? Can a given partner access some data or all data?

As use cases become more sophisticated and sensitive data becomes more regulated, the rules that answer these questions of entitlement have become more complex. For example, the user can only perform the action after their account has been open for a month and they've completed on-boarding. Or, the partner can only access user data for those users who have opted-in.

Traditionally, solving complex rules of entitlement requires coding logic into applications, services, and APIs. However, coding entitlement logic creates challenges around visibility, flexibility, time-to-market, duplicated effort, and more.

PingDataGovernance solves the challenge of entitlement for fine-grained access control and data protection.

Key components

PingDataGovernance Policy Administration GUI
Powered by Symphonic, the PingDataGovernance Policy Administration GUI enables nontechnical stakeholders to collaborate with IT to define and test the policies of entitlement. These policies are strictly attribute-based business rules. PingDataGovernance does not store mappings of specific users or groups to actions and resources. Rather, entitlement is determined dynamically at runtime by the PingDataGovernance Server connecting to the attribute sources across the enterprise.
PingDataGovernance Server

The PingDataGovernance Server includes the runtime policy decision service and multiple policy enforcement capabilities. The policy decision service determines whether fine-grained actions can be taken or data can be accessed. Enforcement of these decisions can be handled in several ways:

  • Policy Decision Point (PDP) API

    Applications or services call into the policy decision service using the PDP API and enforce the decision in their own application or service code.

  • API Security Gateway and Sideband API

    For fine-grained access control and data protection within application, platform, or microservice APIs, customers can integrate the API Security Gateway or Sideband API into their API architecture. In this configuration, the PingDataGovernance Server inspects API requests and responses, and then enforces policy by blocking, filtering, obfuscating, or otherwise modifying request and response data and attributes. This approach requires little or no code changes by the API developer.

  • SCIM Service

    For fine-grained access control and data protection to data stored in structured data stores like LDAP and RDBMS, customers can deploy the SCIM Service in front of their data stores. In this configuration, the PingDataGovernance Server provides a SCIM-based microservice API though which clients create, read, update, and delete (CRUD) data. The SCIM Service enforces policy by blocking, filtering, obfuscating, or otherwise modifying data and attributes.


The available enforcement features described above vary depending on your subscription. For more information, check your PingDataGovernance license key or contact your Ping Identity account representative.

Next steps

To quickly see PingDataGovernance in action, see Getting started with PingDataGovernance (tutorials).