In the previous section, you used PingDataGovernance Server to filter data that an external REST API returned.

While PingDataGovernance Server's API security gateway protects existing REST APIs, PingDataGovernance Server's built-in SCIM service provides a REST API for accessing and protecting identity data that might be contained in datastores like LDAP and relational databases.

PingDataGovernance Server uses SCIM in the following ways:

  • Internally, user identities are represented as SCIM identities by way of one or more SCIM resource types and schemas. This approach includes access token subjects, which are always mapped to a SCIM identity.
  • A SCIM REST API service provides access to user identities through HTTP.

You will now design a set of policies to control access to the SCIM REST API by using OAuth 2 access token rules.

Before proceeding, make a test request to generate a SCIM REST API response to a request when only the default policies are in place. As in the previous section, a mock access token is used.

curl --insecure -X GET https://localhost:7443/scim/v2/Me -H 'Authorization: Bearer {"active": true, "sub": "user.1", "scope": "nonexistent.scope", "client_id": "nonexistent.client"}'

Although the precise attribute values might vary, the response returns the SCIM resource that corresponds to user.1.

{"mail":[""],"initials":["RJV"],"homePhone":["+1 091 438 1890"],
"pager":["+1 472 824 8704"],"givenName":["Romina"],"employeeNumber":"1","telephoneNumber":["+1 319 624 9982"],
"mobile":["+1 650 622 7719"],"sn":["Valerio"],"cn":["Romina Valerio"],
"description":["This is the description for Romina Valerio."],"street":["84095 Maple Street"],
"st":["NE"],"postalAddress":["Romina Valerio$84095 Maple Street$Alexandria, NE  39160"],

This response is a success response, although it is preferred that it not be one, because it shows that any active access token referencing a valid user can be used to access any data.


In this tutorial, you use OIDC-like scopes email and profile to limit data access of the requestor to specific attributes of the profile that granted the access token.

Also, you create a scope scimAdmin that has full access to SCIM-based User resources.


This tutorial walks you through these tasks.

  1. Create a basic policy structure for scope-based access to SCIM resources.
  2. Create a policy for the email scope that only allows access to the subject's mail attributes.
  3. Create a policy for the profile scope that only allows access to a few other profile attributes.
  4. Create a policy for the scimAdmin scope that allows access to all attributes.

The following sections provide the details for completing these tasks.