Privileges are assigned to an entry through the population of the ds-privilege-name attribute with a list of the privileges that entry should have.

Ongoing maintenance and auditing of privilege assignment can be challenging if privileges are assigned through direct population of the ds-privilege-name attribute. Ping Identity does not recommend direct population of this attribute except in special cases.

Ping Identity recommends the use of group-membership based virtual attributes to populate privileges.

For example, to assign the pwd-reset privilege a virtual attribute would be created similar to: 

dsconfig create-virtual-attribute \
 --name ADM-Password-Reset-Priv --type constructed \
 --set enabled:true --set attribute-type:ds-privilege-name \
 --set enabled:true --set attribute-type:ds-privilege-name \
 --set group-dn:cn=ADM-PasswordReset,ou=groups,ou=admins,dc=example,dc=com \
 --set value-pattern:password-reset

Using this virtual attribute, an account can be granted the password reset privilege by adding the user to the ADM-PasswordReset group.

Exception

You might encounter a potential bug with applications that heavily use Proxy Auth privileges where security context changes multiple times over a single connection. This behavior is typically limited to applications such as PingFederate and Siteminder. An existing connection that’s heavily used for Proxy Auth might forget what privileges it has unless they are explicitly assigned to the entry’s ds-privilege-name attribute.