Cross-Service Access Reviews with PingOne

Overview

This guide shows how to configure access reviews that span PingOne and other integrated systems using cross-service identity mapping.

For background on PingOne's cross-service capabilities, see PingOne Cross-Service Identity Mapping.

Prerequisites

• PingOne integration configured and extracting data

• Target systems (Azure AD, applications, databases) integrated and extracting data

• Custom Identity Mappings configured between systems

• Identity correlation verified and working

Review Configuration Examples

Azure AD Users to PingOne Applications

Review Scope: Azure AD users and their access to PingOne applications

1. Navigate to Access Reviews → Create New Configuration

2. Query Builder:

   • Source: Azure AD User

   • Destination: PingOne User

3. Filters: Apply department, location, or other attribute filters as needed

4. Reviewers: Assign application owners or managers

5. Save and launch review

PingOne Users to Downstream Applications

Review Scope: PingOne users and their access to mapped downstream systems

1. Access Reviews → Create New Configuration

2. Query Builder:

   • Source: PingOne User

   • Destination: Target application (Snowflake, AWS IAM, etc.)

3. Filters: Filter by PingOne groups or user attributes if needed

4. Reviewers: Assign based on downstream application ownership

5. Save and launch review

Cross-Service Group Membership

Review Scope: User membership in mapped groups across systems

1. Access Reviews → Create New Configuration

2. Query Builder:

   • Source: Azure AD User

   • Destination: PingOne Group

3. Relationship: Optionally specify group types or patterns

4. Reviewers: Assign group owners or IT administrators

5. Save and launch review