In this guide, we’ll discuss what you need to know to write applications that take advantage of the Ping Identity Data Governance Server’s resource server capabilities.
What is the Data Governance Server?
The Ping Identity Data Governance Server is a resource server, providing APIs for accessing and managing user data, as well as related data. This service is backed by a powerful policy engine that ensures that your organization’s access control rules are enforced consistently, reducing your organization’s security and privacy risks. By providing a single, consistent view of user data, your application is insulated from schema changes in the backend data stores where the user data resides.
Clients written for the Data Governance Server must obtain an access token from an authorization server, such as PingFederate.
The Data Governance Server’s resource server is a SCIM provider. A Data Governance Server client can search, create, update, and delete user data and related data using the simple SCIM REST API.
Behind the scenes, the Data Governance Server acts as a bridge to user data stored at the user store. The user store may be comprised of multiple data stores of arbitrary types, though an LDAP-based Ping Identity Directory Server is typical.
Let’s take these terms and break them down into a table of actors. We’ll be referring to these entities throughout the documentation.
|Client||Also called an application. This is the software that you write. It relies upon the Data Governance Server’s services to provide some benefit to your end users or your organization. Typically, it needs an external authorization server, such as PingFederate, to authenticate a user, then requests the Data Governance Server to read or modify data on the end user’s behalf.|
|End user||Also called an identity or a resource owner. An end user is the subject of an applications’ requests to the Data Governance Server. The Data Governance Server asserts to an application that an end user is who she says she is, and it acts as a gatekeeper to that user’s data.|
|Authorization server||In some contexts, this may also be called an authentication server or an identity provider. An authorization server authorizes an application for access to user data. If it is an authentication server, it also securely confirms an end user’s identity, acting as a single sign-on service for applications.|
|Resource server||A resource server serves data to clients, typically data belonging to end users. Using authorizations granted by the authentication server in the form of access tokens, the resource server ensures that data access is limited according to organizational policies and end user consent.|
|User store||The data store or collection of data stores containing user data or other data. The Data Governance Server acts as a gateway to this data.|
Read the SCIM API reference if you’d like to explore the Data Governance Server’s SCIM APIs in detail.