I need to provide some support staff with the ability to use DSTrace in

The support staff have limited rights in the tree, they can start/stop
IDM drivers, modify some objects etc. They can't modify password policy
or ACLs.

I have found out that a user needs supervisor entry rights to the NCP
server object to be able to use DSTrace from iMonitor.

If I give those rights what kind of other rights would the staff get by

What kind of security holes would I open?

They could of course probably delete the NCP object right?

OS is SLES10, non-OES, just pure SLES and eDirectory 8.8.6.