New Redfish roles for ServiceRep and OemRep
Joseph Reynolds
jrey at linux.ibm.com
Sat Feb 15 07:21:30 AEDT 2020
This is to propose two new Redfish roles:
The BMC Administrator should not have access to operations involving the
manufacturing process or servicing the host because these operations can
damage the system or cause unintended operation.
Examples of access needed:
1. ServiceRep - Needs to access BMC operations to service the system,
such as re-enabling locked out field replaceable units (FRUs) after
replacing a defective unit.
2. OemRep - Needs to access BMC operations to test the host system, such
as how the system responds to overheating.
I believe these roles are clearly distinct from role=Administrator or
any other role.
The roles should NOT have access to the BMC's configuration or user
management. For example, the BMC admin will be able to lock out any
service agent or OemRep using the regular user management functions.
Does anyone else need for these roles? If so, I will try to get them
into Redfish.
- Joseph
This topic was discussed briefly in the OpenBMC security working group,
2019-11-27:
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
See also: https://github.com/ibm-openbmc/dev/issues/1529
More information about the openbmc
mailing list