--- title: Privileges description: The PingDirectory server defines several privileges that it can use to give a user additional functionality or restrict access to some functionality. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_security_guide:pd_sec_privileges canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_security_guide/pd_sec_privileges.html revdate: September 13, 2023 section_ids: available-privileges: Available privileges assign_user_entry_privileges: Assigning privileges --- # Privileges The PingDirectory server defines several privileges that it can use to give a user additional functionality or restrict access to some functionality. ## Available privileges Some of the defined privileges include in the following. | Privilege | Description | | -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `audit-data-security` | Required for a user to invoke the audit data security task to generate a report on security-related aspects of the data contained in the server. | | `backend-backup` | Required to initiate an online backup through an administrative task. | | `backend-restore` | Required to initiate an online restore through an administrative task. | | `bypass-acl` | Exempts the user from access control evaluation for all operations. This grants the user full access to all data in the server, although they might still be limited by things like client connection policies or sensitive attributes. | | `bypass-pw-policy` | Exempts the user from certain password policy restrictions when changing another user's password. This includes:- The user is allowed to set a pre-encoded password for another user even if the password policy forbids it. - The user is allowed to set a password for another user even if it fails validation. - The user is allowed to set a password for another user even if it is in the user's password history. | | `bypass-read-acl` | Exempts the user from access control evaluation for read operations, including search and compare. Write operations are still subject to access control evaluation, and the user might still be limited by constraints in the client connection policy and sensitive attribute definitions. | | `collect-support-data` | Required to invoke the `collect-support-data` tool through an administrative task or an extended operation. | | `config-read` | Required for a user to to read any information from the server configuration. | | `config-write` | Required (in addition to the `config-read` privilege) to update the server configuration. | | `disconnect-client` | Required to forcefully disconnect another client. | | `exec-task` | Required to invoke an exec task. | | `file-servlet-access` | Might be required to access the content of certain file servlet instances, including the instance root file servlet. | | `jmx-notify` | Required to subscribe to receive JMX notifications. | | `jmx-read` | Required to read monitor data from JMX. | | `ldif-export` | Required to initiate an online LDIF export through an administrative task. | | `ldif-import` | Required to initiate an online LDIF import through an administrative task. | | `lockdown-mode` | Required to cause the server to enter and leave lockdown mode, and also to submit requests while the server is in lockdown mode. | | `manage-topology` | Required to process topology-related operations, like adding servers to and removing servers from the topology. | | `modify-acl` | Required to add and remove ACIs. | | `password-reset` | Required to change the password for another user. This privilege is also required to use the password policy state extended operation and might be required for other password-policy-related operations. Either this privilege or the `permit-externally-processed-authentication` privilege is required to use the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASLmechanism. | | `permit-externally-processed-authentication` | Either this privilege or the password-reset privilege is required to be able to use the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL mechanism. | | `permit-get-password-policy-state-issues` | Required to use the get password policy state issues request control. | | `privilege-change` | Required to alter the set of privileges assigned to a user. | | `proxied-auth` | Required to request an alternate authorization identity (that is, to impersonate another user). This includes the ability to use the proxied authorization request control, the intermediate client request control with a userIdentity value, and requesting an alternate authorization identity in applicable SASL mechanisms. | | `server-restart` | Required to initiate an online restart through an administrative task. | | `server-shutdown` | Required to initiate a server shutdown through an administrative task. | | `soft-delete-read` | Required to access soft-deleted entries. | | `stream-values` | Required to use the stream directory values or stream proxy values extended operation. | | `third-party-task` | Required to invoke a custom task implemented using the Server SDK. | | `unindexed-search` | Required to request an unindexed search. | | `unindexed-search-with-control` | Required to request an unindexed search in conjunction with the permit unindexed search request control. | | `update-schema` | Required to update the server schema. | | `use-admin-session` | Required to create an administrative session that allows operations to be processed in a dedicated thread pool. | ## Assigning privileges Privileges can be assigned to users by adding the `ds-privilege-name` operational attribute to a user's entry with a value set to the desired privilege. This is a multivalued attribute, so multiple privileges can be assigned. For example, the following modification demonstrates the process for granting the password-reset privilege to a user. The `privilege-change` privilege is required to alter the set of privileges assigned to a user, so this modification is only allowed if the requester has that privilege. ``` dn: uid=pwadmin,ou=People,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset ``` This process also works for root users and topology administrators although you can also use `dsconfig` or the admin console to alter the set of privileges for those users through the `privilege` property in the user configuration. Root users and topology administrators can also automatically inherit a default set of privileges from the configuration. This default set of privileges is defined in the `default-root-privilege-name` property of the Root DN configuration object. If a root user or topology administrator is to automatically inherit this default set of privileges, then their configuration object has the `inherit-default-root-privileges` property set to true.