You can assign privileges to root users in two ways:

  • By default, root users can be granted a specified set of privileges.

    You can create root users which are not automatically granted these privileges by including the ds-cfg-inherit-default-root-privileges attribute with a value of FALSE in the entries for those root users.

  • You can grant additional privileges to individual root users and remove some automatically-granted privileges from individual root users.

The default-root-privilege-name property of the root distinguished name (DN) configuration object controls the set of privileges that are automatically granted to root users. By default, these privileges include:

  • audit-data-security
  • backend-backup
  • backend-restore
  • bypass-acl
  • config-read
  • config-write
  • disconnect-client
  • ldif-export
  • lockdown-mode
  • manage-topology
  • metrics-read
  • modify-acl
  • password-reset
  • permit-get-password-policy-state-issues
  • privilege-change
  • server-restart
  • server-shutdown
  • soft-delete-read
  • stream-values
  • unindexed-search
  • update-schema

The privileges not granted to root users by default include:

  • bypass-pw-policy
  • bypass-read-acl
  • jmx-read
  • jmx-write
  • jmx-notify
  • permit-externally-processed-authentication
  • permit-proxied-mschapv2-details
  • proxied-auth

You can change the set of default root privileges to add or remove values as necessary. This requires the config-read, config-write, and privilege-change privileges, and either the bypass-acl privilege or sufficient permission granted by the access control configuration to change the server's configuration.