Define application permissions for the application resources that you want to protect.
Add a custom resource for your protected endpoints.
Application resources are features that users want to access, such as checking and savings accounts, an investment services add-on, or an invoicing module in a business application.
PingOne platform resources, such as identities and PingOne APIs, are protected by PingOne platform roles and permissions. Application resources protect access to resources that are developed by your organization’s engineering teams.
An application permission is the combination of an action and a resource. Think of permissions as actions that can be taken on a resource. Configure application permissions by assigning actions to application resources.
You can add up to 128 application resources and 128 application permissions in each PingOne environment.
For example, consider a business application called BizPro that has invoicing capabilities.
Endpoints for the associated invoicing API allow the following actions on the
invoices
resource:
- Read invoices:
GET /bizpro/invoices
- Create an invoice:
POST /bizpro/invoices
- Update an invoice:
PUT /bizpro/invoices/{{invoiceId}}
- Pay an invoice:
POST /bizpro/invoices/{{invoiceId}}/pay
- Void an invoice:
POST /bizpro/invoices/{{invoiceId}}/void
To control access to invoices, you create corresponding application permissions:
Invoices:Read
Invoices:Write
Invoices:Update
Invoices:Pay
Invoices:Void
Application roles simplify managing these permissions. For example, David, an invoicing processor, might have permissions to create and pay invoices, while Melissa, the billing supervisor, can view and void invoices. Learn more in Adding an application role.
Assign permissions to roles.