Default root privileges
The PingDirectory server contains a privilege subsystem that allows for a more fine-grained control of privilege assignments.
Creating restricted root user accounts requires assigning privileges and necessary access controls for actions on specific data or backends. Access controls are determined by how the directory is configured and the structure of your data. See Managing access control for more information. |
The following set of root privileges are available to each root user DN.
Privilege | Description |
---|---|
audit-data-security |
Allows the associated user to execute data security auditing tasks. |
backend-backup |
Allows the user to perform backend backup operations. |
backend-restore |
Allows the user to perform backend restore operations. |
bypass-acl |
Allows the user to bypass access control evaluation. |
config-read |
Allows the user to read the server configuration. |
config-write |
Allows the user to update the server configuration. |
disconnect-client |
Allows the user to terminate arbitrary client connections. |
ldif-export |
Allows the user to perform LDIF export operations. |
ldif-import |
Allows the user to perform LDIF import operations. |
lockdown-mode |
Allows the user to request a server lockdown. |
manage-topology |
Allows the user to modify topology setting. |
metrics-read |
Allows the user to read server metrics. |
modify-acl |
Allows the user to modify access control rules. |
password-reset |
Allows the user to reset user passwords but not their own. The user must also have privileges granted by access control to write the user password to the target entry. |
permit-get-password-policy-state-issues |
Allows the user to access password policy state issues. |
privilege-change |
Allows the user to change the set of privileges for a specific user, or to change the set of privileges automatically assigned to a root user. |
server-restart |
Allows the user to request a server restart. |
server-shutdown |
Allows the user to request a server shutdown. |
soft-delete-read |
Allows the user access to soft-deleted entries. |
stream-values |
Allows the user to perform a stream values extended operation that obtains all entry DNs and/or all values for one or more attributes for a specified portion of the DIT. |
third-party-task |
Allows the associated user to invoke tasks created by third-party developers. |
unindexed-search |
Allows the user to perform an unindexed search in the Oracle Berkeley DB Java Edition backend. |
update-schema |
Allows the user to update the server schema. |
use-admin-session |
Allows the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads. |
The PingDirectory server provides other privileges that are not assigned to the root user DN by default but can be added using the ldapmodify
tool (see Modifying Individual Root User Privileges) for more information.
Privilege | Description |
---|---|
bypass-pw-policy |
Allows the associated user bypass password policy rules and restrictions. |
bypass-read-aci |
Allows the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation can still be enforced for other types of operations. |
jmx-notify |
Allows the associated user to subscribe to receive JMX notifications. |
jmx-read |
Allows the associated user to perform JMX read operations. |
jmx-write |
Allows the associated user to perform JMX write operations. |
permit-externally-processed-authentication |
Allows the associated user accept externally processed authentication. |
permit-proxied-mschapv2-details |
Allows the associated user to permit MS-CHAP V2 handshake protocol. |
proxied-auth |
Allows the associated user to accept proxied authorization. |