Authorization policies in PingOne Authorize enable you to add more advanced API access rules that require several iterations of configuration and testing before deployment. Policy authoring supports fine-grained logic and an iterative workflow.

In this task, you'll configure an API operation to match the API requests used to start a new game. Instead of configuring basic access rules, you’ll opt into using custom policies.

You’ll create the fine-grained policy in a later task.

  1. In PingOne, go to Authorize > API Services.
  2. Click the Meme Game API service, and then click the Operations tab.
  3. Click Define Operation to create a new operation.

    First, define the operation by configuring a method and path combination that matches a client request to the API.

  4. Click Methods, and then select the POST method. Press tab or click outside the list of methods to close it.
    Screen capture showing the expanded Methods list in the Define Operation window.
  5. For Paths, enter the following:


    This is the API path for starting a new game. The path must start with a slash (/).

  6. For Name, enter Start a new game.
    Screen capture of the Create Operation window showing Method, Path, and Name settings.
  7. Click Next.

    Now, you’ll opt into using a custom policy instead of basic rules.

  8. Click the Custom toggle, and then click Save.
    Screen capture showing the Basic and Custom toggle for Access Rules.

    Next, confirm that you want to use a custom policy and won’t be able to switch back to using basic rules for this operation.

  9. In the Custom Rules window, select the I understand check box, and then click Switch to Custom Rules.
    Screen capture showing the I understand check box for switching to custom rules for an operation.

    All custom policies for operations under the same API service are deployed to the same decision endpoint. You chose the DEV endpoint when you set up the API service in Tutorial 1. You can change the endpoint by editing the API service.

    Now, if you expand the operation, it looks like this.

    Screen capture showing the expanded custom operation.

You’ve defined an API operation to match the API requests used to start a new game, and you’ve opted into using fine-grained policies for this operation.

Next, you’ll add attributes in the Trust Framework for your policy logic.