| Name | Is Default Root Privilege | Description |
| audit-data-security | true | Provides the ability to audit the security of data in any backend. The user will still need access control permission to perform the requested operation. |
| backend-backup | true | Provides the ability to perform a backup of one or more backends with the server online via the tasks interface. The user will still need access control permission to perform the requested operation. |
| backend-restore | true | Provides the ability to perform a restore a backend with the server online via the tasks interface. The user will still need access control permission to perform the requested operation. |
| bypass-acl | true | Provides the ability to bypass all access control evaluation for any type of operation. Note, however, that users with the bypass-acl privilege may still be subject to other restrictions, like other privileges that may be required to process a particular operation. |
| bypass-pw-policy | false | Provides the ability for an administrator to be exempted from certain types of password policy evaluation when performing an operation against another user. |
| bypass-read-acl | false | Provides the ability to bypass all access control evaluation, but only for bind, compare, and search operations. Normal access control evaluation will still be performed for add, delete, extended, modify, and modify DN operations. |
| collect-support-data | true | Allows the requester to invoke the collect-support-data tool using an adminstrative task or extended operation . |
| config-read | true | Provides the ability to perform search and compare operations in the server configuration. These operations will still be subject to access control restrictions. |
| config-write | true | Provides the ability to perform add, delete, and modify operations in the server configuration. These operations will still be subject to access control restrictions. |
| disconnect-client | true | Provides the ability to terminate an arbitrary client connection. The user will still need access control permission to perform the requested operation. |
| exec-task | false | Allows the requester to schedule an exec task. |
| file-servlet-access | true | Indicates that the requester may be permitted access to the content exposed by file servlet instances that require this privilege. |
| jmx-notify | false | Provides the ability to subscribe to receive JMX notifications. |
| jmx-read | false | Provides the ability to perform read operations via JMX. |
| jmx-write | false | Provides the ability to perform write operations via JMX. |
| ldif-export | true | Provides the ability to perform LDIF export operations with the server online via the tasks interface. The user will still need access control permission to perform the requested operation. |
| ldif-import | true | Provides the ability to perform LDIF import operations with the server online via the tasks interface. The user will still need access control permission to perform the requested operation. |
| lockdown-mode | true | Provides the ability to cause the server to enter and leave lockdown mode, or to access the server while it is in lockdown mode. The user will still need access control permission to perform the requested operation. |
| manage-topology | true | Provides the ability to manage a topology of server instances, including adding servers to and removing servers from a topology. The user will still need access control permission to perform the requested operation. |
| metrics-read | true | Provides the ability to search or retrieve data in the metrics backend. The user will still need access control permission to perform the requested operation. |
| modify-acl | true | Provides the ability to modify access control rules. The user will still need access control permission to perform the requested operation. |
| password-reset | true | Provides the ability to change another user's password. The user will still need access control permission to perform the requested operation. |
| permit-externally-processed-authentication | false | Provides the ability for the requester to issue a bind request that uses the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL mechanism. |
| permit-forwarding-client-connection-policy | false | Provides the ability to request that an operation be processed using a specified client connection policy. |
| permit-get-password-policy-state-issues | true | Provides the ability for the requester to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control. |
| privilege-change | true | Provides the ability to alter the set of privileges assigned to an individual user, or to change the set of privileges that may be automatically assigned to root users. |
| proxied-auth | false | Provides the ability to request that an operation be processed using an alternate authorization identity (for example, using the proxied authorization or intermediate client request control, or using a SASL authorization identity). |
| server-restart | true | Provides the ability to request a server restart via the tasks interface. The user will still need access control permission to perform the requested operation. |
| server-shutdown | true | Provides the ability to request a server shutdown via the tasks interface. The user will still need access control permission to perform the requested operation. |
| soft-delete-read | true | Provides the ability to retrieve, compare, modify, delete, or undelete soft-deleted entries. The user will still need access control permission to perform the requested operation. |
| stream-values | true | Provides the ability to use the stream directory values extended operation to obtain a list of all entry DNs or unique attribute values, or to use the stream proxy values extended operation to obtain information from the global index. The user will still need access control permission to perform the requested operation. |
| third-party-task | true | Provides the ability to invoke a third-party task in the server. The user will still need access control permission to perform the requested operation. |
| unindexed-search | true | Provides the ability to perform an expensive unindexed search in a local DB backend. The user will still need access control permission to perform the requested operation. |
| unindexed-search-with-control | false | Provides the ability to perform an unindexed search if the request also includes the permit unindexed search request control. |
| update-schema | true | Provides the ability to alter the server schema. The user will still need access control permission to perform the requested operation. |
| use-admin-session | true | Provides the ability to use an administrative session to request that operations be processed in a dedicated thread pool. |