Operations in PingOne Authorize enable you to use built-in access control rules or custom policies to control access to API actions.
An API service operation is a method and path combination that matches a client request to the API. Add operations for API requests that you want to protect.
You can define up to 25 operations for each API service in an environment.
When PingOne is managing user directory services and access token validation for an API service, you can define built-in access control rules and custom policies for an operation. When these services are managed externally, you can define custom policies for an operation, but you can’t configure built-in access control rules.
- Access control rules
-
Built-in access control rules grant access to protected operations based on:
- User membership in groups. Before you grant access based on group membership, you must add users and create groups in PingOne.
- Authorized OAuth scopes. Scopes determine the resources that a client can access. For example, a banking application might use scopes to control the kinds of data shared with third-party applications.
- Authorized permissions. Before you grant access based on permissions, you must define permissions for the application resources that you want to protect.
PingOne Authorize automatically generates policies for built-in access control rules and deploys them when you deploy the associated API service.
Tip:For hands-on experience with defining access control rules for an API operation, see Tutorial 2: Controlling access to specific API operations.
- Custom policies
-
Custom policies handle more complex authorization scenarios, such as evaluating context by pulling in risk scores to determine access. You can enable custom policies when you define an API service or by editing the API service later.
The following steps provide information about configuring built-in access control rules for an operation. For more information about custom policies, see Adding custom policies for API services and operations.
If you configured a scope-based rule for the operation, make sure that you grant the same scopes to your PingOne application to ensure that clients are allowed to access the API operation. To do this, edit the list of allowed scopes on the application’s Resources tab. For more information, see Editing scopes for an application.
If you configured a permission-based rule for the operation, make sure that you assign permissions to roles, and assign roles to users.