Privileges can be granted to normal users on an individual basis. This can be accomplished by adding the ds-privilege-name operational attribute to that user's entry with the names of the desired privileges. For example, the following change will grant the proxied-auth privilege to the uid=proxy,dc=example,dc=com account:

dn: uid=proxy,dc=example,dc=com 
changetype: modify 
add: ds-privilege-name 
ds-privilege-name: proxied-auth

The user making this change will be required to have the privilege-change privilege, and the server's access control configuration must also allow the requester to write to the ds-privilege-name attribute in the target user's entry.

This same method can be used to grant privileges to root users that they would not otherwise have through the set of default root privileges. You can also remove default root privileges from root users by prefixing the name of the privilege to remove with a minus sign. For example, the following change grants a root user the jmx-read privilege in addition to the set of default root privileges, and removes the server-restart and server-shutdown privileges:

dn: cn=Sync Root User,cn=Root DNs,cn=config 
changetype: modify 
add: ds-privilege-name 
ds-privilege-name: jmx-read 
ds-privilege-name: -server-restart 
ds-privilege-name: -server-shutdown

Note that because root user entries exist in the configuration, this update requires the config-read and config-write privileges in addition to the privilege-change privilege.