Beginning with Delegated Admin 3.5.0 and PingDirectory Server 7.3.0.1, user access to standard and constructed attributes can be set to read-only as well as to read/write. We recommend that you restrict access to constructed attributes to read-only. Read-only attributes do not appear on the UI pages that are associated with the creation of users groups and other objects.

Use the dsconfig tool to set a standard or constructed attribute as read-only, as the following example shows:

dsconfig set-delegated-admin-attribute \
  --type-name users  \
  --attribute-type modifyTimestamp  \
  --set mutability:read-only

The following example resets a standard or constructed attribute from read-only to read/write:

dsconfig set-delegated-admin-attribute \
  --type-name users  \
  --attribute-type modifyTimestamp  \
  --reset mutability