The PingDirectory Server contains a privilege subsystem that allows for a more fine-grained control of privilege assignments.

Note: Creating restricted root user accounts requires assigning privileges and necessary access controls for actions on specific data or backends. Access controls are determined by how the directory is configured and the structure of your data. See Chapter 16: Managing Access Controls for more information.

The following set of root privileges are available to each root user DN:

Privilege Description
audit-data-security Allows the associated user to execute data security auditing tasks.
backend-backup Allows the user to perform backend backup operations.
backend-restore Allows the user to perform backend restore operations.
bypass-acl Allows the user to bypass access control evaluation.
config-read Allows the user to read the server configuration.
config-write Allows the user to update the server configuration.
disconnect-client Allows the user to terminate arbitrary client connections.
ldif-export Allows the user to perform LDIF export operations.
ldif-import Allows the user to perform LDIF import operations.
lockdown-mode Allows the user to request a server lockdown.
manage-topology Allows the user to modify topology setting.
metrics-read Allows the user to read server metrics.
modify-acl Allows the user to modify access control rules.
password-reset Allows the user to reset user passwords but not their own. The user must also have privileges granted by access control to write the user password to the target entry.
permit-get-password-policy-state-issues Allows the user to access password policy state issues.
privilege-change Allows the user to change the set of privileges for a specific user, or to change the set of privileges automatically assigned to a root user.
server-restart Allows the user to request a server restart.
server-shutdown Allows the user to request a server shutdown.
soft-delete-read Allows the user access to soft-deleted entries.
stream-values Allows the user to perform a stream values extended operation that obtains all entry DNs and/or all values for one or more attributes for a specified portion of the DIT.
third-party-task Allows the associated user to invoke tasks created by third-party developers.
unindexed-search Allows the user to perform an unindexed search in the Oracle Berkeley DB Java Edition backend.
update-schema Allows the user to update the server schema.
use-admin-session Allows the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads.
The Directory Server provides other privileges that are not assigned to the root user DN by default but can be added using the ldapmodify tool (see Modifying Individual Root User Privileges) for more information.
Privilege Description
bypass-pw-policy Allows the associated user bypass password policy rules and restrictions.
bypass-read-aci Allows the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations.
jmx-notify Allows the associated user to subscribe to receive JMX notifications.
jmx-read Allows the associated user to perform JMX read operations.
jmx-write Allows the associated user to perform JMX write operations.
permit-externally-processed-authentication Allows the associated user accept externally processed authentication.
permit-proxied-mschapv2-details Allows the associated user to permit MS-CHAP V2 handshake protocol.
proxied-auth Allows the associated user to accept proxied authorization.