Page created: 6 Nov 2019
|
Page updated: 25 Mar 2020
The following privileges are defined in the PingDirectoryProxy Server.
Privilege | Description |
---|---|
audit-data-security | This privilege is required to initiate a data security audit on the server, which is invoked by the audit-data-security tool. |
backend-backup | This privilege is required to initiate an online backup through the tasks interface. The server's access control configuration must also allow the user to add the corresponding entry in the tasks backend. |
backend-restore | This privilege is required to initiate an online restore through the tasks interface. The server's access control configuration must also allow the user to add the corresponding entry in the tasks backend. |
bypass-acl | This privilege allows a user to bypass access control evaluation. For a user
with this privilege, any access control determination made by the server
immediately returns that the operation is allowed. Note, however, that this does
not bypass privilege evaluation, so the user must have the appropriate set of
additional privileges to be able to perform any privileged operation (for example,
a user with the bypass-acl privilege but without the
config-read privilege is not allowed to access the server
configuration). |
bypass-pw-policy | This privilege allows a user entry to bypass password policy evaluation. This privilege is intended for cases where external synchronization might require passwords that violate the password validation rules. The privilege is not evaluated for bind operations so that password policy evaluation will still occur when binding as a user with this privilege. |
bypass-read-acl | This privilege allows the associated user to bypass access control checks performed by the server for bind, search, and compare operations. Access control evaluation may still be enforced for other types of operations. |
config-read | This privilege is required for a user to access the server configuration. Access control evaluation is still performed and can be used to restrict the set of configuration objects that the user is allowed to see. |
config-write | This privilege is required for a user to alter the server configuration. The
user is also required to have the config-read privilege. Access
control evaluation is still performed and can be used to restrict the set of
configuration objects that the user is allowed to alter. |
disconnect-client | This privilege is required for a user to request that an existing client connection be terminated. The connection is terminated through the disconnect client task. The server's access control configuration must also allow the user to add the corresponding entry to the tasks backend. |
jmx-notify | This privilege is required for a user to subscribe to JMX notifications
generated by the Directory Proxy Server. The user is also required to have
the jmx-read privilege. |
jmx-read | This privilege is required for a user to access any information provided by the Directory Proxy Server via the Java Management Extensions (JMX). |
jmx-write | This privilege is required for a user to update any information exposed by
the Directory Proxy Server via the Java Management
Extensions (JMX). The user is also required to have the jmx-read
privilege. Note that currently all of the information exposed by the server over
JMX is read-only. |
ldif-export | This privilege is required to initiate an online LDIF export through the tasks interface. The server's access control configuration must also allow the user to add the corresponding entry in the Tasks backend. To allow access to the Tasks backend, you can set up a global ACI that allows access to members of an Administrators group. |
ldif-import | This privilege is required to initiate an online LDIF import through the tasks interface. The server's access control configuration must also allow the user to add the corresponding entry in the Tasks backend. To allow access to the Tasks backend, configure the global ACI as shown in the previous description of the ldif-export privilege. |
lockdown-mode | This privilege allows the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode. |
modify-acl | This privilege is required for a user to add, modify, or remove access
control rules defined in the server. The server's access control configuration
must also allow the user to make the corresponding change to the
aci operational attribute. |
password-reset | This privilege is required for one user to be allowed to change another
user’s password. This privilege is not required for a user to be allowed to change
his or her own password. The user must also have the access control instruction
privilege to write the userPassword attribute to the target
entry. |
privilege-change | This privilege is required for a user to change the set of privileges
assigned to a user, including the set of privileges, which are automatically
granted to root users. The server's access control configuration must also allow
the user to make the corresponding change to the
ds-privilege-name operational attribute. |
proxied-auth | This privilege is required for a user to request that an operation be performed with an alternate authorization identity. This privilege applies to operations that include the proxied authorization v1 or v2 control operations that include the intermediate client request control with a value set for the client identity field, or for SASL bind requests that can include an authorization identity different from the authentication identity. |
server-restart | This privilege is required to initiate a server restart through the tasks interface. The server's access control configuration must also allow the user to add the corresponding entry in the tasks backend. |
server-shutdown | This privilege is required to initiate a server shutdown through the tasks interface. The server's access control configuration must also allow the user to add the corresponding entry in the tasks backend. |
soft-delete-read | This privilege is required for a user to access a soft-deleted-entry. |
stream-values | This privilege is required for a user to perform a stream values extended operation, which obtains all entry DNs and/or all values for one or more attributes for a specified portion of the DIT. |
unindexed-search | This privilege is required for a user to be able to perform a search operation in which a reasonable set of candidate entries cannot be determined using the defined index and instead, a significant portion of the database needs to be traversed to identify matching entries. The server's access control configuration must also allow the user to request the search. |
update-schema | This privilege is required for a user to modify the server schema. The server's access control configuration must allow the user to update the operational attributes that contain the schema elements. |