If you're using PingOne for Enterprise Directory as an identity repository, you can directly manage users in your directory.

Directory Entitlements

We recommend you add groups before adding any users. Your users' ability to view and change any user or group information in the directory is controlled through your assignment of directory roles to groups. Each role has associated entitlements to directory information. Users inherit the entitlements assigned to a role through their group memberships. The roles have ascending levels of entitlement: each role includes the entitlements assigned to a lower level role. A group can be assigned only one role. When a user is a member of more than one group, the highest level role assigned to any one of the user's groups is applied. The directory available roles are:
User Reader
Groups assigned this role are entitled only to view user and group directory information.
User Manager
Groups assigned this role have User Reader entitlements plus the ability to invite and create directory users and modify user attributes, though not group memberships.
Group and Entitlement Manager
Groups assigned this role have User Manager entitlements plus the ability to create directory groups, assign entitlements to groups and change group membership.

You need to be either a Global Administrator or Identity Repository Administrator to view and change directory settings.


The PingOne for Enterprise Directory supports user provisioning using the current SCIM protocol (System for Cross-Domain Identity Management: Protocol 1.1).

PingOne for Enterprise Directory attributes are SCIM attributes, and apply to all users. The predefined attributes for the directory are SCIM version 1.1 core schema attributes.


You will find user transactions logged for the PingOne for Enterprise Directory on the Reports page. These transactions are designated by the subsystem Directory. See Managing reports and subscriptions for more information.

Directory API

You can use the PingOne for Enterprise Directory REST API to validate credentials and authorize user access to perform user or group operations:

Access to the directory API requires that you have the client ID and API key for your account. See View or renew directory API credentials for instructions.