---
title: Configuring alternate authorization identities
description: Alternate authorization identities are specified by the authz-attribute property of the entry-balancing request processor configuration object.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdirectoryproxy_server_administration_guide:pd_proxy_config_alt_authn_identities
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectoryproxy_server_administration_guide/pd_proxy_config_alt_authn_identities.html
revdate: September 13, 2023
section_ids:
  about-this-task: About this task
  steps: Steps
  example: Example:
  example-2: Example:
---

# Configuring alternate authorization identities

Alternate authorization identities are specified by the `authz-attribute` property of the entry-balancing request processor configuration object.

## About this task

By default, the `authz-attribute` property has the default value of `ds-authz-map-to-dn`, which is an attribute reserved for this purpose.

If a user entry has a value for `ds-authz-map-to-dn`, whether it's explicitly contained in the entry or only present with a virtual attribute, that value is used to specify the alternate authorization identity for the user. Otherwise, the default authorization identity, as indicated with the `authz-dn` configuration property, is used to determine the alternate authorization identity.

## Steps

1. Set the `authz-dn` property of the entry-balancing request processor configuration using the `dsconfig` tool.

   |   |                                                                                                                                                                                                                                  |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | If any user among the balanced entries doesn't have an alternate authorization identity defined, the PingDirectoryProxy server uses the value of the `authz-dn` property of the entry-balancing request processor configuration. |

   ### Example:

   ```shell
   $ bin/dsconfig set-request-processor-prop \
     --processor-name dc_example_dc_com-eb-req-processor \
     --set "authz-dn:uid=normal user,dc=example,dc=com"
   ```

2. Create an auxiliary object class containing `ds-authz-map-to-dn` as an allowed attribute.

3. Add the auxiliary object class value to all user entries of interest.

4. Add the following attribute value to a `server-admin` user.

   ### Example:

   ```
   ds-authz-map-to-dn: uid=server-admin,dc=example,dc=com
   ```