Reference Guide › DSA Commands (DXserver Commands) › Commands Reference › set super-user Command—Configure Super User Access Level Rights

set super-user Command—Configure Super User Access Level Rights

This command grants all access rights (permissions) at the super user access level, to specified users. The scope is a user's own entry, or own subtree, or the whole directory.

Access rights granted at this access level cannot be taken away by other access control rules.

Access control rules are effective only if you enable access controls.

This command has the following format:

set super-user [tag] = { 

users 
[auth-level	= simple | ssl-auth]
[validity	= [start hhmm end hhmm] [on day]]

};

• tag

  (Optional) Defines a name for this rule.

• users

  Defines the users that this rule applies to, where users is one of the following:

  • user = DN

    Defines the user that this rule applies to.

  • role = DN

    Defines the role that this rule applies to.

  • group = group-name

    Defines the access control group that this rule applies to. Use of access control groups is deprecated, so use of this option is also deprecated.

  • user-subtree = DN

    Defines the top of the subtree of users that this rule applies to.

  • own-entry

    Specifies that the users defined in scope have super user access to their own entries only.

  • own-subtree

    Specifies that the users defined in scope have super user access to their own entries and any entries below their own entry.

• auth-level = simple | ssl-auth

  (Optional) Specifies the level of authentication required. If you use this option, use one of the following:

  • simple

    Specifies that this rule only applies to users that bind using simple authentication (username and password).

  • ssl-auth

    Specifies that this rule only applies to users that bind using SSL authentication.

• validity = [start hhmm end hhmm] [on day]

  (Optional) Defines the period during which this rule is valid. Use any of the following:

  • start hhmm end hhmm

    Defines the start and end of the period during which this rule is valid.

  • on day

    Defines the day on which this rule is valid, where day is a string like 12345 or 67 (1 is Monday).

Example: Give Super User Privileges to One User

The following command defines a single user with super user privileges:

set super-user "dsa-manager" = {
 user = <c "AU"><o "Democorp"><commonName "DSA manager">
};

Example: Give Users Super User Rights to Their Own Entry Only

The following command gives all users in the domain of this DSA super user privileges on their own entry from 0800 hours to 1800 hours on Monday (day 1) to Friday (day 5):

set super-user "self" = { own-entry
 validity = ( start 0800 end 1800 on 12345 )
};

When you include this command in an access.dxc file that multiple DSAs source, all users in the domains of those DSAs will have super user privileges on their own entries.

The own-entry and own-subtree options are the only types of super user rule that do not grant the user access to all parts of the DSA.