Operations in PingOne Authorize enable you to use basic access control rules or custom policies to control access to API actions.
An API service operation is a method and path combination that matches a client request to the API. Add operations for API requests that you want to protect.
When PingOne is managing user directory services and access token validation for an API service, you can define built-in access control rules or custom policies for an operation. When these services are managed externally, you can only define custom policies for an operation; you can’t configure built-in access control rules.
- Basic rules
-
Basic rules grant access to protected operations based on:
- User membership in groups. Before you grant access based on group membership, make sure you add users and create groups in PingOne.
- Authorized OAuth scopes. Scopes determine the resources that a client can access. For example, banking applications use scopes to control what data is shared with third-party applications.
PingOne Authorize automatically generates policies for basic rules and deploys them to the API Access Management endpoint.
Tip:For hands-on experience with defining basic rules for an API operation, see Tutorial 2: Controlling access to specific API operations.
- Custom rules
-
Custom rules enable you to use fine-grained policies that evaluate context to determine access. After you opt into using custom rules for an operation, create a policy that targets the operation and deploy the policy to the decision endpoint specified for the API service.
Tip:For hands-on experience with writing a custom policy for an API operation, see Tutorial 3: Fine-grained API authorization.
Adding basic rules
- Optional:
Define group-based access control rules:
- Optional:
Define scope-based access control rules:
- Click Save.
If you defined scope-based rules for the operation, make sure you grant the same scopes to PingOne applications so that clients are allowed to access the API operation. To do this, edit the list of allowed scopes on the application’s Resources tab. For more information, see Editing scopes for an application.
Adding custom rules
Test and then publish your policy. For more information, see Testing a policy and Publishing a version.