Managing Authorize gateway roles

Authorize gateways require specific permissions to interact with PingOne services.

Authorize Gateway Policy Evaluator role

Authorize gateways automatically have the Authorize Gateway Policy Evaluator role. This role grants the minimum permissions required for the gateway to interact with PingOne, adhering to the principle of least privilege. These environment-level permissions include:

Read Authorize Gateway Deployment: Allows reading the deployment configuration for authorization policy versions and minimum supported gateway instance versions.
Read Gateway: Allows reading gateway configuration details.

These permissions let the gateway download authorization policy versions and check for gateway version compatibility.

If you accidentally remove the Authorize Gateway Policy Evaluator role from a gateway, disable and then re-enable the gateway to restore this role.

Older gateways might have the Environment Admin role. When you update an older gateway, the Authorize Gateway Policy Evaluator role is assigned automatically. You can then remove the Environment Admin role, ensuring the gateway operates with the principle of least privilege.

Custom gateway roles

You can assign any built-in or custom administrator roles to Authorize gateways, provided you have the necessary permissions to assign them.

When your authorization policies include PingOne user details, group membership checks, or risk scores from the PingOne Protect Connector, the Authorize gateway requires additional permissions for policy evaluation. You can add a custom role with these permissions and assign it to the Authorize gateway.

PingOne-related policy features require the following permissions:

Policy feature	Permission
PingOne User resolver	Directory > Read User
Is Member Of and Is Not Member Of group membership comparators	Directory > Read Group Membership
Create Risk Evaluation Connector service capability	Threat Protection > Create Evaluation
Update Risk Evaluation Connector service capability	Threat Protection > Update Evaluation

Policy feature

Permission

PingOne User resolver

Directory > Read User

Is Member Of and Is Not Member Of group membership comparators

Directory > Read Group Membership

Create Risk Evaluation Connector service capability

Threat Protection > Create Evaluation

Update Risk Evaluation Connector service capability

Threat Protection > Update Evaluation

Assigning roles to gateways

Assign and unassign roles to ensure your Authorize gateways have the necessary permissions to evaluate authorization policies.

Before you begin

Set up an Authorize gateway.
Create any custom roles you want to assign to a gateway. Learn more in Adding a custom administrator role.

Steps

In the PingOne admin console, go to Integrations > Gateways and click the Authorize gateway you want to work with.
On the Roles tab, click Grant Roles.
On the Available Responsibilities tab, click the relevant role.
To assign the role to the gateway, select the checkboxes next to applicable environments.
To remove a role assignment from the gateway, clear the checkboxes next to applicable environments.

Assigning roles to gateways is similar to assigning roles to users. Learn more about assigning and removing roles in Managing user roles.
Click Save.