The special abilities that root users have are granted through privileges. Privileges can be assigned to root users in two ways:
  • By default, root users may be granted a specified set of privileges. Note that it is possible to create root users which are not automatically granted these privileges by including the ds-cfg-inherit-default-root-privileges attribute with a value of FALSE in the entries for those root users.
  • Individual root users can have additional privileges granted to them, and/or some automatically-granted privileges may be removed from that user.
The set of privileges that are automatically granted to root users is controlled by the default-root-privilege-name property of the Root DN configuration object. By default, this set of privileges includes:
  • audit-data-security
  • backend-backup
  • backend-restore
  • bypass-acl
  • config-read
  • config-write
  • disconnect-client
  • ldif-export
  • lockdown-mode
  • manage-topology
  • metrics-read
  • modify-acl
  • password-reset
  • permit-get-password-policy-state-issues
  • privilege-change
  • server-restart
  • server-shutdown
  • soft-delete-read
  • stream-values
  • unindexed-search
  • update-schema
The privileges not granted to root users by default includes:
  • bypass-pw-policy
  • bypass-read-acl
  • jmx-read
  • jmx-write
  • jmx-notify
  • permit-externally-processed-authentication
  • permit-proxied-mschapv2-details
  • proxied-auth

The set of default root privileges can be altered to add or remove values as necessary. Doing so will require the config-read, config-write, and privilege-change privileges, as well as either the bypass-acl privilege or sufficient permission granted by the access control configuration to make the change to the server's configuration.