The PingDirectory server contains a privilege subsystem that allows for a more fine-grained control of privilege assignments.

Note: Creating restricted root user accounts requires assigning privileges and necessary access controls for actions on specific data or backends. Access controls are determined by how the directory is configured and the structure of your data. See Managing access control for more information.

The following set of root privileges are available to each root user DN.

Default Root Privileges
Privilege Description

audit-data-security

Allows the associated user to execute data security auditing tasks.

backend-backup

Allows the user to perform backend backup operations.

backend-restore

Allows the user to perform backend restore operations.

bypass-acl

Allows the user to bypass access control evaluation.

config-read

Allows the user to read the server configuration.

config-write

Allows the user to update the server configuration.

disconnect-client

Allows the user to terminate arbitrary client connections.

ldif-export

Allows the user to perform LDIF export operations.

ldif-import

Allows the user to perform LDIF import operations.

lockdown-mode

Allows the user to request a server lockdown.

manage-topology

Allows the user to modify topology setting.

metrics-read

Allows the user to read server metrics.

modify-acl

Allows the user to modify access control rules.

password-reset

Allows the user to reset user passwords but not their own. The user must also have privileges granted by access control to write the user password to the target entry.

permit-get-password-policy-state-issues

Allows the user to access password policy state issues.

privilege-change

Allows the user to change the set of privileges for a specific user, or to change the set of privileges automatically assigned to a root user.

server-restart

Allows the user to request a server restart.

server-shutdown

Allows the user to request a server shutdown.

soft-delete-read

Allows the user access to soft-deleted entries.

stream-values

Allows the user to perform a stream values extended operation that obtains all entry DNs and/or all values for one or more attributes for a specified portion of the DIT.

third-party-task

Allows the associated user to invoke tasks created by third-party developers.

unindexed-search

Allows the user to perform an unindexed search in the Oracle Berkeley DB Java Edition backend.

update-schema

Allows the user to update the server schema.

use-admin-session

Allows the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads.

The PingDirectory server provides other privileges that are not assigned to the root user DN by default but can be added using the ldapmodify tool (see Modifying Individual Root User Privileges) for more information.

Other Available Privileges
Privilege Description

bypass-pw-policy

Allows the associated user bypass password policy rules and restrictions.

bypass-read-aci

Allows the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations.

jmx-notify

Allows the associated user to subscribe to receive JMX notifications.

jmx-read

Allows the associated user to perform JMX read operations.

jmx-write

Allows the associated user to perform JMX write operations.

permit-externally-processed-authentication

Allows the associated user accept externally processed authentication.

permit-proxied-mschapv2-details

Allows the associated user to permit MS-CHAP V2 handshake protocol.

proxied-auth

Allows the associated user to accept proxied authorization.