|
|
Post by f31816 on Apr 23, 2020 13:59:44 GMT
The definition in the PrivilegeRegistry, ConfigureSelf is possible to get the others ManagerAccount
Is this expected behavior or it should only allow to get the Account itself.
"Entity": "ManagerAccount",
"OperationMap": {
"GET": [
{
"Privilege": [
"ConfigureManager"
]
},
{
"Privilege": [
"ConfigureUsers"
]
},
{
"Privilege": [
"ConfigureSelf"
]
}
],
|
|
|
|
Post by josephreynolds1 on Apr 24, 2020 20:14:00 GMT
|
|
|
|
Post by mraineri on May 1, 2020 15:09:25 GMT
Not exactly. I think part of the confusion here is the exact behavior when you see "ConfigureSelf" in the operation map. With the current structure of the privilege registry, it's not very clear that "ConfigureSelf" for a resource really just applies to the specific instance that represents yourself (or has some tie to your account). I think we might need to embellish the description of the ConfigureSelf privilege to clearly state this nuance, but I don't have a good answer for how else to show this in the privilege registry itself.
|
|
|
|
Post by f31816 on May 29, 2020 3:27:35 GMT
Another is, redfish has the predefine role (Administrator, Operator, ReadOnly)
But all of them is possible to change the password.
Administrator
Login, ConfigureManager, ConfigureUsers, ConfigureComponents,
ConfigureSelf
Operator Login, ConfigureComponents, ConfigureSelf
ReadOnly
Login, ConfigureSelf
I am not sure this is the expect behavior by DMTF or mistake.
|
|
|
|
Post by jautor on May 29, 2020 14:39:11 GMT
Yes, that's the expected behavior - that a user can change his/her own password. With the recently-added "PasswordChangeRequired" property, you can also force a user to change their password.
Jeff
|
|
|
|
Post by mraineri on May 29, 2020 14:51:16 GMT
Also, keep in mind that the privilege registry structure isn't very clear about some of the detailed nuances like this. The expectation is users with "ConfigureSelf" can only configure their own account, and it's not something they can generally do on all accounts. The following text is in the description of the ConfigureSelf privilege: "Can change the password for the current user account and log out of their own sessions."
Everyone can configure their own passwords (ConfigureSelf), but only admins can change anyone's password (ConfigureUsers).
|
|
|
|
Post by f31816 on Jun 4, 2020 6:25:48 GMT
Follow this logic, the user should only possible to access the account instance for itself, also block when access others account instance if the user is not admin.
|
|
