Beginning with Delegated Admin 3.5.0 and PingDirectory 7.3.0.1, you can set user access to standard and constructed attributes to read-only and read/write. You should restrict access to constructed attributes to read-only. Read-only attributes do not appear on the UI pages that are associated with the creation of users groups and other objects.

  • Use the dsconfig tool to set a standard or constructed attribute as read-only.
    dsconfig set-delegated-admin-attribute \
      --type-name users  \
      --attribute-type modifyTimestamp  \
      --set mutability:read-only
    The following example resets a standard or constructed attribute from read-only to read/write.
    dsconfig set-delegated-admin-attribute \
      --type-name users  \
      --attribute-type modifyTimestamp  \
      --reset mutability