Add the ds-privilege-name operational attribute to the user's entry with the names of the desired privileges. For example, the following change grants the proxied-auth privilege to the uid=proxy,dc=example,dc=com account.

dn: uid=proxy,dc=example,dc=com 
changetype: modify 
add: ds-privilege-name 
ds-privilege-name: proxied-auth

The user making this change must have the privilege-change privilege, and the server's access control configuration must also allow the requester to write to the ds-privilege-name attribute in the target user's entry.

You can use the same method to grant root users privileges that aren't included in the set of default root privileges. You can also remove default root privileges from root users by prefixing the name of the privilege to remove with a minus sign. For example, the following change grants a root user the jmx-read privilege in addition to the set of default root privileges and removes the server-restart and server-shutdown privileges.

dn: cn=Sync Root User,cn=Root DNs,cn=config 
changetype: modify 
add: ds-privilege-name 
ds-privilege-name: jmx-read 
ds-privilege-name: -server-restart 
ds-privilege-name: -server-shutdown
Note:

Because root user entries exist in the configuration, this update requires the config-read and config-write privileges in addition to the privilege-change privilege.