|
Post by uli42 on Mar 29, 2022 14:14:22 GMT
Hello,
we have security guidelines that requires us to set BIOS passwords and ensure booting from CDROM and USB is disabled. We can verify those settings using redfish (we do not need to see the actual password, we jsut need to see that a password is set). Unfortunately this seems to require Operator privileges which we definitely do not want to use here.
So my feature request is to add a Role that may READ but not MODIFY BIOS settings.
Or is there already a way to read-only access the settings and we are just missing it?
Kind regards,
Uli42
|
|
|
Post by mraineri on Mar 29, 2022 14:22:40 GMT
The existing "ReadOnly" role should have that capability. In the stock privilege registry the DMTF publishes, this type of user is able to read the Bios resource, but not allowed to modify it. Here's a link to the latest published registry: redfish.dmtf.org/registries/v1/Redfish_1.2.0_PrivilegeRegistry.jsonIf you search for '"Entity": "Bios"', GET and PATCH are assigned "Login" (which is a privilege ReadOnly has), and other methods like PATCH require the "ConfigureComponents" privilege (which is a privilege Operator has, but not ReadOnly).
|
|
|
Post by uli42 on Mar 29, 2022 15:01:02 GMT
Thanks for the quick answer, I must check why we came to a different conclusion.
|
|