Create and Assign App Roles
Number of APIs: 9
This activity shows you how to create and assign application roles to users, which helps to simplify managing application permissions.
Application permissions are used to protect application resources, and can be thought of as the actions that can be taken on a resource. Application roles are associated with application permissions, and can be assigned to users to determine which actions they can perform on an application resource.
In this activity, you'll create a custom resource and use the PingOne Authorize Endpoint to create an application permission and application role. You'll then assign the application role to a user.
The following operations are supported by the PingOne APIs:
- Create an application
- Create a custom resource
- Create PingOne Authorize application resources, roles, and permissions
- Create user application role assignments
Prerequisites
You must have the
PING_ONE_AUTHORIZEcapability in the Bill of Materials (BOM) for your environment to run the PingOne Authorize requests to create application resources, application roles, and application permissions.Create a user to get a
userID. See Create User or Read All Users to find an existing user. AuserIDis needed to assign an application role to a user in this activity.Get an access token from the worker application you created in Getting Started with the PingOne APIs. If you prefer to get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. See GET a Worker Application Access Token.
Workflow order of operations
To create application permissions, application roles, and assign application roles to a user, the following tasks must be completed successfully:
Make a
POSTrequest to/environments/{{envID}}/applicationsto add a new application to the specified environment.Make a
POSTrequest to/environments/{{envID}}/resourcesto define the custom resource.Make a
POSTrequest to/environments/{{envID}}/resources/{{resourceID}}/scopesto define a scope for the custom resource.Make a
POSTrequest to/environments/{{envID}}/applications/{{appID}}/grantsto create a new resource access grant for the application.Make a
POSTrequest to/environments/{{envID}}/resources/{{customResourceID}}/applicationResourcesto create the application resource.Make a
POSTrequest to/environments/{{envID}}/applicationResources/{{appResourceID}}/permissionsto create the application resource permission.Make a
POSTrequest to/environments/{{envID}}/applicationRolesto create an application role.Make a
POSTrequest to/environments/{{envID}}/applicationRoles/{{appRoleID}}/permissionsto assign an application resource permission to the specified role.Make a
POSTrequest to/environments/{{envID}}/users/{{userID}}/applicationRolesto assign the application role to a user.
-
Step 9: Assign the application role to user POST {{apiPath}}/environments/{{envID}}/users/{{userID}}/applicationRoles
-
Step 1: Create a web application POST {{apiPath}}/environments/{{envID}}/applications
-
Step 2: Create a custom resource POST {{apiPath}}/environments/{{envID}}/resources
-
Step 3: Create a custom resource scope POST {{apiPath}}/environments/{{envID}}/resources/{{customResourceID}}/scopes
-
Step 5: Create an application resource POST {{apiPath}}/environments/{{envID}}/resources/{{customResourceID}}/applicationResources
-
Step 6: Create application permissions POST {{apiPath}}/environments/{{envID}}/applicationResources/{{appResourceID}}/permissions
-
Step 7: Create an application role POST {{apiPath}}/environments/{{envID}}/applicationRoles
-
Step 8: Create application role permissions POST {{apiPath}}/environments/{{envID}}/applicationRoles/{{appRoleID}}/permissions
-
Step 4: Assign a resource grant to the web application POST {{apiPath}}/environments/{{envID}}/applications/{{customResourceAppID}}/grants