--- title: Creating an internal service account description: Create an internal LDAP connection to operate against consent records that are stored as LDAP entries. component: pingdirectory version: 11.0 page_id: pingdirectory:consent_solution_guide:pd_cs_create_internal_service_acct canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/consent_solution_guide/pd_cs_create_internal_service_acct.html revdate: September 13, 2023 section_ids: about-this-task: About this task steps: Steps example: Example: example-2: Example: --- # Creating an internal service account Create an internal LDAP connection to operate against consent records that are stored as LDAP entries. ## About this task The Consent Service uses an internal LDAP connection to operate against consent records that are stored as LDAP entries. The Consent Service authenticates the LDAP connection using a service account that must be created and dedicated solely to the Consent Service. The Consent Service configuration script configures the internal service account using a topology administrator user. If needed, this can be changed to a root distinguished name (DN) user or a user DN whose entry is in the user backend. In all cases, the service account should exist in every LDAP server in the topology. This service account must have: * Full read and write access to the Consent Service base DN. * The ability to read users' `isMemberOf` attribute. * The right to use the following LDAP controls: * IntermediateClientRequestControl (1.3.6.1.4.1.30221.2.5.2) * NameWithEntryUUIDRequestControl (1.3.6.1.4.1.30221.2.5.44) * RejectUnindexedSearchRequestControl (1.3.6.1.4.1.30221.2.5.54) * PermissiveModifyRequestControl (1.2.840.113556.1.4.1413) * PostReadRequestControl (1.3.6.1.1.13.2) For more information about configuring access, see [Managing access control](../managing_access_control/pd_ds_manage_access_control.html). ## Steps 1. To ensure the correct access, create a user with the `bypass-acl` privilege. ### Example: The following `dsconfig` command creates a topology admin user with the `bypass-acl` privilege. ```shell $ dsconfig create-topology-admin-user \ --user-name "Consent Service Account" \ --set "description:Consent API service account" \ --set "alternate-bind-dn:cn=consent service account" \ --set first-name:Consent \ --set inherit-default-root-privileges:false \ --set last-name:Service \ --set password:CHANGE-ME \ --set privilege:bypass-acl ``` | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------- | | | The `bypass-acl` privilege grants a broad level of access, so you might not want to grant this privilege to the Consent Service account. | 2. Set this user as the `bind-dn` for the Consent Service. 3. To enable a targeted set of functionality for the Consent Service, add the following access control instruction (ACI). ### Example: The following example grants the access to the `cn=consent service account` DN using global ACIs. ``` # Grant access to the consent record base DN ou=consents,dc=example,dc=com dsconfig set-access-control-handler-prop --add 'global-aci:(target="ldap:///ou=consents,dc=example,dc=com")(targetattr="*||+")(version 3.0; acl "Consent Service account access to consent record data"; allow(all) userdn="ldap:///cn=consent service account";)' # Grant access to the LDAP request controls used by the Consent Service. dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="1.3.6.1.4.1.30221.2.5.2||1.3.6.1.4.1.30221.2.5.44||1.3.6.1.4.1.30221.2.5.54||1.2.840.113556.1.4.1413||1.3.6.1.1.13.2")(version 3.0; acl "Consent Service account access to selected controls"; allow (read) userdn="ldap:///cn=consent service account";)' ```