Redfish security question (user enumeration)

Gunnar Mills gmills at
Wed Feb 12 07:07:14 AEDT 2020

On 2/10/2020 12:21 PM, Richard Hanley wrote:
> One possible compromise is to make the account collection 
> discoverable, but only put the users account into the response (unless 
> it is an admin user).
> On Mon, Feb 10, 2020 at 9:36 AM Joseph Reynolds <jrey at 
> <mailto:jrey at>> wrote:
>     The Redfish spec recently changed to allow users with the Login
>     privilege to enumerate all BMC users.  Previously only the admin user
>     could do this.  I disagree with this change and believe it is an
>     unnecessary information exposure.  Details are in the Redfish
>     forum post.
>     OpenBMC has the corresponding implementation change pending here:
This was discussed in the Redfish call today. Redfish will update the 
documentation and registry to make clear only the current account will 
be shown in the AccountCollection if the user lacks the ConfigureUsers 
privilege (Richard's suggestion). A response in the thread explains the 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openbmc mailing list