PingDirectory

Privileges

The PingDirectory server defines several privileges that it can use to give a user additional functionality or restrict access to some functionality.

Available privileges

Some of the defined privileges include in the following.

Privilege Description

audit-data-security

Required for a user to invoke the audit data security task to generate a report on security-related aspects of the data contained in the server.

backend-backup

Required to initiate an online backup through an administrative task.

backend-restore

Required to initiate an online restore through an administrative task.

bypass-acl

Exempts the user from access control evaluation for all operations. This grants the user full access to all data in the server, although they might still be limited by things like client connection policies or sensitive attributes.

bypass-pw-policy

Exempts the user from certain password policy restrictions when changing another user’s password. This includes:

  • The user is allowed to set a pre-encoded password for another user even if the password policy forbids it.

  • The user is allowed to set a password for another user even if it fails validation.

  • The user is allowed to set a password for another user even if it is in the user’s password history.

bypass-read-acl

Exempts the user from access control evaluation for read operations, including search and compare. Write operations are still subject to access control evaluation, and the user might still be limited by constraints in the client connection policy and sensitive attribute definitions.

collect-support-data

Required to invoke the collect-support-data tool through an administrative task or an extended operation.

config-read

Required for a user to to read any information from the server configuration.

config-write

Required (in addition to the config-read privilege) to update the server configuration.

disconnect-client

Required to forcefully disconnect another client.

exec-task

Required to invoke an exec task.

file-servlet-access

Might be required to access the content of certain file servlet instances, including the instance root file servlet.

jmx-notify

Required to subscribe to receive JMX notifications.

jmx-read

Required to read monitor data from JMX.

ldif-export

Required to initiate an online LDIF export through an administrative task.

ldif-import

Required to initiate an online LDIF import through an administrative task.

lockdown-mode

Required to cause the server to enter and leave lockdown mode, and also to submit requests while the server is in lockdown mode.

manage-topology

Required to process topology-related operations, like adding servers to and removing servers from the topology.

modify-acl

Required to add and remove ACIs.

password-reset

Required to change the password for another user. This privilege is also required to use the password policy state extended operation and might be required for other password-policy-related operations. Either this privilege or the permit-externally-processed-authentication privilege is required to use the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASLmechanism.

permit-externally-processed-authentication

Either this privilege or the password-reset privilege is required to be able to use the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL mechanism.

permit-get-password-policy-state-issues

Required to use the get password policy state issues request control.

privilege-change

Required to alter the set of privileges assigned to a user.

proxied-auth

Required to request an alternate authorization identity (that is, to impersonate another user). This includes the ability to use the proxied authorization request control, the intermediate client request control with a userIdentity value, and requesting an alternate authorization identity in applicable SASL mechanisms.

server-restart

Required to initiate an online restart through an administrative task.

server-shutdown

Required to initiate a server shutdown through an administrative task.

soft-delete-read

Required to access soft-deleted entries.

stream-values

Required to use the stream directory values or stream proxy values extended operation.

third-party-task

Required to invoke a custom task implemented using the Server SDK.

unindexed-search

Required to request an unindexed search.

unindexed-search-with-control

Required to request an unindexed search in conjunction with the permit unindexed search request control.

update-schema

Required to update the server schema.

use-admin-session

Required to create an administrative session that allows operations to be processed in a dedicated thread pool.

Assigning privileges

Privileges can be assigned to users by adding the ds-privilege-name operational attribute to a user’s entry with a value set to the desired privilege. This is a multivalued attribute, so multiple privileges can be assigned.

For example, the following modification demonstrates the process for granting the password-reset privilege to a user. The privilege-change privilege is required to alter the set of privileges assigned to a user, so this modification is only allowed if the requester has that privilege.

dn: uid=pwadmin,ou=People,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset

This process also works for root users and topology administrators although you can also use dsconfig or the admin console to alter the set of privileges for those users through the privilege property in the user configuration.

Root users and topology administrators can also automatically inherit a default set of privileges from the configuration. This default set of privileges is defined in the default-root-privilege-name property of the Root DN configuration object. If a root user or topology administrator is to automatically inherit this default set of privileges, then their configuration object has the inherit-default-root-privileges property set to true.