PingDirectory

Privileges automatically granted to root users

The special abilities that root users have are granted through privileges.

You can assign privileges to root users in two ways:

  • By default, root users can be granted a specified set of privileges.

    You can create root users which are not automatically granted these privileges by including the ds-cfg-inherit-default-root-privileges attribute with a value of FALSE in the entries for those root users.

  • You can grant additional privileges to individual root users and remove some automatically-granted privileges from individual root users.

The default-root-privilege-name property of the root distinguished name (DN) configuration object controls the set of privileges that are automatically granted to root users. By default, these privileges include:

  • audit-data-security

  • backend-backup

  • backend-restore

  • bypass-acl

  • config-read

  • config-write

  • disconnect-client

  • ldif-export

  • lockdown-mode

  • manage-topology

  • metrics-read

  • modify-acl

  • password-reset

  • permit-get-password-policy-state-issues

  • privilege-change

  • server-restart

  • server-shutdown

  • soft-delete-read

  • stream-values

  • unindexed-search

  • update-schema

The privileges not granted to root users by default include:

  • bypass-pw-policy

  • bypass-read-acl

  • jmx-read

  • jmx-write

  • jmx-notify

  • permit-externally-processed-authentication

  • permit-proxied-mschapv2-details

  • proxied-auth

You can change the set of default root privileges to add or remove values as necessary. This requires the config-read, config-write, and privilege-change privileges, and either the bypass-acl privilege or sufficient permission granted by the access control configuration to change the server’s configuration.