In this guide, we’ll discuss what you need to know to write applications that take advantage of the Ping Identity Data Governance Broker’s resource server capabilities.
What is the Data Governance Broker?
The Ping Identity Data Governance Broker is a resource server, providing APIs for accessing and managing user data, as well as related data. This service is backed by a powerful policy engine that ensures that your organization’s access control rules are enforced consistently, reducing your organization’s security and privacy risks. By providing a single, consistent view of user data, your application is insulated from schema changes in the backend data stores where the user data resides.
Clients written for the Data Governance Broker must obtain an access token from an authorization server, such as PingFederate.
The Data Governance Broker’s resource server is a SCIM provider. A Data Governance Broker client can search, create, update, and delete user data and related data using the simple SCIM REST API.
Behind the scenes, the Data Governance Broker acts as a bridge to user data stored at the user store. The user store may be comprised of multiple data stores of arbitrary types, though an LDAP-based Ping Identity Directory Server is typical.
Let’s take these terms and break them down into a table of actors. We’ll be referring to these entities throughout the documentation.
|Client||Also called an application. This is the software that you write. It relies upon the Data Governance Broker’s services to provide some benefit to your end users or your organization. Typically, it needs the Data Governance Broker to authenticate a user, and it needs to read or modify data belonging to the end user on that user’s behalf.|
|End user||Also called an identity or a resource owner. An end user is the subject of an applications’ requests to the Data Governance Broker. The Data Governance Broker asserts to an application that an end user is who she says she is, and it acts as a gatekeeper to that user’s data.|
|Authorization server||In some contexts, this may also be called an authentication server or an identity provider. An authorization server authorizes an application for access to user data. If it is an authentication server, it also securely confirms an end user’s identity, acting as a single sign-on service for applications.|
|Resource server||A resource server serves data to clients, typically data belonging to end users. Using authorizations granted by the authentication server in the form of access tokens, the resource server ensures that data access is limited according to organizational policies and end user consent.|
|User store||The data store or collection of data stores containing user data or other data. The Data Governance Broker acts as a gateway to this data.|
Read the SCIM API reference if you’d like to explore the Data Governance Broker’s SCIM APIs in detail.