set super-user Command -- Configure Super User Access Level Rights

This command grants all access rights (permissions) at the super user access level, to specified users. The scope is a user's own entry, or own subtree, or the whole directory.
cad
This command grants all access rights (permissions) at the super user access level, to specified users. The scope is a user's own entry, or own subtree, or the whole directory.
Access rights granted at this access level cannot be taken away by other access control rules.
Access control rules are effective only if you enable access controls.
This command has the following format:
set super-user [tag] = { users [auth-level = simple | ssl-auth] [validity = [start hhmm end hhmm] [on day]] };
  • tag
    (Optional) Defines a name for this rule.
  • users
    Defines the users that this rule applies to, where
    users
    is one of the following:
    • user =
      DN
      Defines the user that this rule applies to.
    • role =
      DN
      Defines the role that this rule applies to.
    • group =
      group-name
      Defines the access control group that this rule applies to. Use of access control groups is deprecated, so use of this option is also deprecated.
    • user-subtree =
      DN
      Defines the top of the subtree of users that this rule applies to.
    • own-entry
      Specifies that the users defined in
      scope
      have super user access to their own entries only.
    • own-subtree
      Specifies that the users defined in
      scope
      have super user access to their own entries and any entries below their own entry.
  • auth-level = simple | ssl-auth
    (Optional) Specifies the level of authentication required. If you use this option, use one of the following:
    • simple
      Specifies that this rule only applies to users that bind using simple authentication (username and password).
    • ssl-auth
      Specifies that this rule only applies to users that bind using SSL authentication.
  • validity = [start
    hhmm
    end
    hhmm
    ] [on
    day
    ]
    (Optional) Defines the period during which this rule is valid. Use any of the following:
    • start
      hhmm
      end
      hhmm
      Defines the start and end of the period during which this rule is valid.
    • on
      day
      Defines the day on which this rule is valid, where
      day
      is a string like 12345 or 67 (1 is Monday).
Example: Give Super User Privileges to One User
The following command defines a single user with super user privileges:
set super-user dsa-manager = { user = <c AU><o Democorp><commonName "DSA manager"> };
Example: Give Users Super User Rights to Their Own Entry Only
The following command gives all users in the domain of this DSA super user privileges on their own entry from 0800 hours to 1800 hours on Monday (day 1) to Friday (day 5):
set super-user self = { own-entry validity = ( start 0800 end 1800 on 12345 ) };
When you include this command in an access.dxc file that multiple DSAs source, all users in the domains of those DSAs will have super user privileges on their own entries.
The
own-entry
and
own-subtree
options are the only types of super user rule that do not grant the user access to all parts of the DSA.