Security Working Group meeting - this Wednesday February 19 - summary results

Gunnar Mills gmills at
Wed Mar 4 04:56:41 AEDT 2020

On 2/19/2020 5:05 PM, Joseph Reynolds wrote:
> On 2/17/20 4:29 PM, Joseph Reynolds wrote:
>> 2. (Joseph, follow up to agenda item 3 from 2020-02-05): Redfish 
>> Privilege updates: 
>> and 
>> Update 
>> Feb 11: See 
>> clarified the intention to NOT enumerate all accounts (unless you are 
>> the admin)

> Consensus was to leave OpenBMC as-is (only admin can enumerate users) 
> until Redfish releases a new spec.
This is implemented as Redfish intended, a user without ConfigureUsers 
privilege will only see their own account here:

  We don't need to wait for the next Redfish release since Redfish is 
only further clarifying this in the documentation and implemented in 
28881 is how Redfish intended this to work. This fixes 2 validator 
errors if the validator is run as a ReadOnly or Operator role user.


More information about the openbmc mailing list