Privileges

PingDirectory has a number of defined privileges that are used for fine-grained control of privilege.

The capabilities of the Directory Manager account that is created by default during a PingDirectory install is granted by assignment of privileges. This default Directory Manager account itself does not possess any special privileges or capabilities beyond those assigned by privileges. Any account in the directory that is assigned the same privileges as that default Directory Manager will have exactly the same level of access as that Directory Manager account.

The privileges assigned to the Directory Manager account can be removed (or the account itself can be deleted) without impacting the functionality of the directory.

Privilege name Root privilege Privilege description

audit-data-security

Yes

Provides the ability to audit the security of data in any backend. The user still needs access control permission to perform the requested operation

backend-backup

Yes

Provides the ability to perform a backup of one or more backends with the server online via the tasks interface. The user still needs access control permission to perform the requested operation.

backend-restore

Yes

Provides the ability to perform a restore of a backend with the server online through the tasks interface. The user still needs access control permission to perform the requested operation.

bypass-acl

Yes

Provides the ability to bypass all access control evaluation for any type of operation.

Note:

Users with the bypass-acl privilege can still be subject to other restrictions, such other privileges that might be required to process a particular operation.

bypass-pw-policy

No

Provides the ability to exempt an administrator from certain types of password policy evaluation when performing an operation against another user.

bypass-read-acl

No

Provides the ability to bypass all access control evaluation, but only for bind, compare, and search operations. Normal access control evaluation is still performed for add, delete, extended, modify, and modify DN operations.

collect-support-data

Yes

Allows the requester to invoke the collect-support-data tool using an administrative task or extended operation.

config-read

Yes

Provides the ability to perform search and compare operations in the server configuration. These operations are still subject to access control restrictions.

config-write

Yes

Provides the ability to perform add, delete, and modify operations in the server configuration. These operations are still subject to access control restrictions.

disconnect-client

Yes

Provides the ability to terminate an arbitrary client connection. The user still needs access control permission to perform the requested operation.

exec-task

No

Allows the requester to schedule an exec task.

file-servlet-access

Yes

Indicates that the requester may be permitted access to the content exposed by file servlet instances that require this privilege.

jmx-notify

No

Provides the ability to subscribe to receive JMX notifications.

jmx-read

No

Provides the ability to perform read operations using JMX.

jmx-write

No

Provides the ability to perform write operations using JMX.

ldif-export

Yes

Provides the ability to perform LDIF export operations with the server online through the tasks interface. The user still needs access control permission to perform the requested operation.

ldif-import

Yes

Provides the ability to perform LDIF import operations with the server online through the tasks interface. The user still needs access control permission to perform the requested operation.

lockdown-mode

Yes

Provides the ability to cause the server to enter and leave lockdown mode or to access the server while it is in lockdown mode. The user still needs access control permission to perform the requested operation.

manage-topology

Yes

Provides the ability to manage a topology of server instances, including adding servers to and removing servers from a topology. The user still needs access control permission to perform the requested operation.

metrics-read

Yes

Provides the ability to search or retrieve data in the metrics backend. The user still needs access control permission to perform the requested operation.

modify-acl

Yes

Provides the ability to modify access control rules. The user still needs access control permission to perform the requested operation.

password-reset

Yes

Provides the ability to change another user's password. The user still needs access control permission to perform the requested operation.

permit-externally-processed-authentication

No

Provides the ability for the requester to issue a bind request that uses the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION Simple Authentication and Security Layer (SASL) mechanism.

permit-forwarding-client-connection-policy

No

Provides the ability to request that an operation be processed using a specified client connection policy.

permit-get-password-policy-state-issues

Yes

Provides the ability for the requester to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control.

privilege-change

Yes

Provides the ability to alter the set of privileges assigned to an individual user or to change the set of privileges that can be automatically assigned to root users.

proxied-auth

No

Provides the ability to request that an operation be processed using an alternate authorization identity, such as using the proxied authorization or intermediate client request control or using a SASL authorization identity.

server-restart

Yes

Provides the ability to request a server restart using the tasks interface. The user still needs access control permission to perform the requested operation.

server-shutdown

Yes

Provides the ability to request a server shutdown using the tasks interface. The user still needs access control permission to perform the requested operation.

soft-delete-read

Yes

Provides the ability to retrieve, compare, modify, delete, or undelete soft-deleted entries. The user still needs access control permission to perform the requested operation.

stream-values

Yes

Provides the ability to use the stream directory values extended operation to obtain a list of all entry DNs or unique attribute values or to use the stream proxy values extended operation to obtain information from the global index. The user still needs access control permission to perform the requested operation.

third-party-task

Yes

Provides the ability to invoke a third-party task in the server. The user still needs access control permission to perform the requested operation.

unindexed-search

Yes

Provides the ability to perform an expensive unindexed search in a local DB backend. The user still needs access control permission to perform the requested operation.

unindexed-search-with-control

No

Provides the ability to perform an unindexed search if the request also includes the permit unindexed search request control.

update-schema

Yes

Provides the ability to alter the server schema. The user still needs access control permission to perform the requested operation.

use-admin-session

Yes

Provides the ability to use an administrative session to request that operations be processed in a dedicated thread pool.

Privileges are granted to an account by adding the desired privilege to the accounts ds-privilege-name attribute.

This attribute can be explicitly populated, populated with a virtual attribute, or a combination of the two.

Privileges allow us to grant accounts the ability to perform basic administrative tasks, such as server-shutdown, without needing to grant more powerful privileges, such as bypass-aci.

Access control instructions (ACI)

ACIs are used to define the level of access an account can have to entries and attributes in the directory. By default, PingDirectory is configured with an implicit deny, so read/write access to entries must be explicitly granted.

Client connection policy

A number of different client connection policies may be defined on a server. A client connection policy can, among other things, determine:

  • Which branches of the directory are accessible

  • Allow operation types (for example, search, add, delete, and modify)

  • Allowed filter types

  • Search size and time restrictions

  • Attributes to be excluded from search results

  • Attributes that cannot be included in search filters

  • Attributes that cannot be modified (even if ACIs would normally allow)

Which client connection policy applies to an authenticated account can be determined by:

  • Included/excluded IP address or IP range

  • Connection type (HTTPs, LDAPs, LDAP)

  • Location of authenticated account in the directory

  • Group membership of authenticated account

  • Attribute value contained in the authenticated account

  • Authenticated account privileges

A common use of client connection policies is creating a connection policy for insecure LDAP communications where only accounts in specific groups are allowed to connect insecurely and can only see a limited number of entries and attributes.