Redfish security question (user enumeration)

Joseph Reynolds jrey at
Tue Feb 11 04:35:20 AEDT 2020

The Redfish spec recently changed to allow users with the Login 
privilege to enumerate all BMC users.  Previously only the admin user 
could do this.  I disagree with this change and believe it is an 
unnecessary information exposure.  Details are in the Redfish forum post.

Are we okay with this?  Do we ask Redfish to change it back?  Please 
reply to this email or to the forum with your thoughts.

- Joseph


The change was made to Redfish version 2019.4 > DSP2046 > 
Redfish-1.0.4-PrivilegeRegistry > ManagerAccountCollection > GET:

OpenBMC has the corresponding implementation change pending here:

This was discussed in the 2020-02-05 OpenBMC security working group 
meeting as agenda item 3.  Minutes:

More information about the openbmc mailing list