Privileges
PingDirectory has a number of defined privileges that are used for fine-grained control of privilege.
The capabilities of the Directory Manager account that is created by default during a PingDirectory install is granted by assignment of privileges. This default Directory Manager account itself does not possess any special privileges or capabilities beyond those assigned by privileges. Any account in the directory that is assigned the same privileges as that default Directory Manager will have exactly the same level of access as that Directory Manager account.
The privileges assigned to the Directory Manager account can be removed (or the account itself can be deleted) without impacting the functionality of the directory.
Privilege name | Root privilege | Privilege description |
---|---|---|
|
Yes |
Provides the ability to audit the security of data in any backend. The user still needs access control permission to perform the requested operation |
|
Yes |
Provides the ability to perform a backup of one or more backends with the server online via the tasks interface. The user still needs access control permission to perform the requested operation. |
|
Yes |
Provides the ability to perform a restore of a backend with the server online through the tasks interface. The user still needs access control permission to perform the requested operation. |
|
Yes |
Provides the ability to bypass all access control evaluation for any type of operation. Note:
Users with the |
|
No |
Provides the ability to exempt an administrator from certain types of password policy evaluation when performing an operation against another user. |
|
No |
Provides the ability to bypass all access control evaluation, but only for bind, compare, and search operations. Normal access control evaluation is still performed for add, delete, extended, modify, and modify DN operations. |
|
Yes |
Allows the requester to invoke the collect-support-data tool using an administrative task or extended operation. |
|
Yes |
Provides the ability to perform search and compare operations in the server configuration. These operations are still subject to access control restrictions. |
|
Yes |
Provides the ability to perform add, delete, and modify operations in the server configuration. These operations are still subject to access control restrictions. |
|
Yes |
Provides the ability to terminate an arbitrary client connection. The user still needs access control permission to perform the requested operation. |
|
No |
Allows the requester to schedule an exec task. |
|
Yes |
Indicates that the requester may be permitted access to the content exposed by file servlet instances that require this privilege. |
|
No |
Provides the ability to subscribe to receive JMX notifications. |
|
No |
Provides the ability to perform read operations using JMX. |
|
No |
Provides the ability to perform write operations using JMX. |
|
Yes |
Provides the ability to perform LDIF export operations with the server online through the tasks interface. The user still needs access control permission to perform the requested operation. |
|
Yes |
Provides the ability to perform LDIF import operations with the server online through the tasks interface. The user still needs access control permission to perform the requested operation. |
|
Yes |
Provides the ability to cause the server to enter and leave lockdown mode or to access the server while it is in lockdown mode. The user still needs access control permission to perform the requested operation. |
|
Yes |
Provides the ability to manage a topology of server instances, including adding servers to and removing servers from a topology. The user still needs access control permission to perform the requested operation. |
|
Yes |
Provides the ability to search or retrieve data in the metrics backend. The user still needs access control permission to perform the requested operation. |
|
Yes |
Provides the ability to modify access control rules. The user still needs access control permission to perform the requested operation. |
|
Yes |
Provides the ability to change another user's password. The user still needs access control permission to perform the requested operation. |
|
No |
Provides the ability for the requester to issue a bind request
that uses the
|
|
No |
Provides the ability to request that an operation be processed using a specified client connection policy. |
|
Yes |
Provides the ability for the requester to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control. |
|
Yes |
Provides the ability to alter the set of privileges assigned to an individual user or to change the set of privileges that can be automatically assigned to root users. |
|
No |
Provides the ability to request that an operation be processed using an alternate authorization identity, such as using the proxied authorization or intermediate client request control or using a SASL authorization identity. |
|
Yes |
Provides the ability to request a server restart using the tasks interface. The user still needs access control permission to perform the requested operation. |
|
Yes |
Provides the ability to request a server shutdown using the tasks interface. The user still needs access control permission to perform the requested operation. |
|
Yes |
Provides the ability to retrieve, compare, modify, delete, or undelete soft-deleted entries. The user still needs access control permission to perform the requested operation. |
|
Yes |
Provides the ability to use the stream directory values extended operation to obtain a list of all entry DNs or unique attribute values or to use the stream proxy values extended operation to obtain information from the global index. The user still needs access control permission to perform the requested operation. |
|
Yes |
Provides the ability to invoke a third-party task in the server. The user still needs access control permission to perform the requested operation. |
|
Yes |
Provides the ability to perform an expensive unindexed search in a local DB backend. The user still needs access control permission to perform the requested operation. |
|
No |
Provides the ability to perform an unindexed search if the request also includes the permit unindexed search request control. |
|
Yes |
Provides the ability to alter the server schema. The user still needs access control permission to perform the requested operation. |
|
Yes |
Provides the ability to use an administrative session to request that operations be processed in a dedicated thread pool. |
Privileges are granted to an account by adding the desired privilege to the
accounts ds-privilege-name
attribute.
This attribute can be explicitly populated, populated with a virtual attribute, or a combination of the two.
Privileges allow us to grant accounts the ability to perform basic
administrative tasks, such as server-shutdown
, without needing to
grant more powerful privileges, such as bypass-aci
.
Access control instructions (ACI)
ACIs are used to define the level of access an account can have to entries and attributes in the directory. By default, PingDirectory is configured with an implicit deny, so read/write access to entries must be explicitly granted.
Client connection policy
A number of different client connection policies may be defined on a server. A client connection policy can, among other things, determine:
-
Which branches of the directory are accessible
-
Allow operation types (for example, search, add, delete, and modify)
-
Allowed filter types
-
Search size and time restrictions
-
Attributes to be excluded from search results
-
Attributes that cannot be included in search filters
-
Attributes that cannot be modified (even if ACIs would normally allow)
Which client connection policy applies to an authenticated account can be determined by:
-
Included/excluded IP address or IP range
-
Connection type (HTTPs, LDAPs, LDAP)
-
Location of authenticated account in the directory
-
Group membership of authenticated account
-
Attribute value contained in the authenticated account
-
Authenticated account privileges
A common use of client connection policies is creating a connection policy for insecure LDAP communications where only accounts in specific groups are allowed to connect insecurely and can only see a limited number of entries and attributes.