Privileges are assigned to an entry through the population of the
ds-privilege-name
attribute with a list of the privileges that
entry should have.
Ongoing maintenance and auditing of privilege assignment can be challenging if
privileges are assigned through direct population of the
ds-privilege-name
attribute. Ping Identity does not recommend
direct population of this attribute except in special cases.
Ping Identity recommends the use of group-membership based virtual attributes to populate privileges.
For example, to assign the pwd-reset
privilege a virtual
attribute would be created similar to:
dsconfig create-virtual-attribute \
--name ADM-Password-Reset-Priv --type constructed \
--set enabled:true --set attribute-type:ds-privilege-name \
--set enabled:true --set attribute-type:ds-privilege-name \
--set group-dn:cn=ADM-PasswordReset,ou=groups,ou=admins,dc=example,dc=com \
--set value-pattern:password-reset
Using this virtual attribute, an account can be granted the password reset privilege
by adding the user to the ADM-PasswordReset
group.
Exception
You might encounter a potential bug with applications that heavily use Proxy Auth
privileges where security context changes multiple times over a single connection. This
behavior is typically limited to applications such as PingFederate and Siteminder. An existing
connection that’s heavily used for Proxy Auth might forget what privileges it has unless
they are explicitly assigned to the entry’s ds-privilege-name
attribute.