|
|
Post by AMI_archerwen on Aug 4, 2022 10:21:09 GMT
Hi,
Base on our design, we have a Role "HostInterfaceAdministrator" is for create bootstrapping account.
And our Engineer make this role as a "Restricted Roles" recently.
Per the discussion with you guys, my understanding is "Administrator account can PATCH/DELETE the bootstrapping account"
If the Role of bootstrapping account become a "Restricted Roles", we can't perform PATCH/DELETE for this account anymore.
Is this correct? Or our design have some problem?
Thanks,
Archer.
|
|
|
|
Post by mraineri on Aug 4, 2022 20:25:05 GMT
To be clear, are you saying the account created via the bootstrap method is assigned the role "HostInterfaceAdministrator", meaning, the new user created after invoking the IPMI "Get Bootstrap Account Credentials" command will contain the role "HostInterfaceAdministrator"?
If this is the case, you're right in that an Administrator would not be able to PATCH or DELETE the user. However, this sounds like a potential design issue. Restricted roles are intended to be set up for service providers to have well-known access points to the system. Think of cases where a user leases a system from a third party; the third party would want to ensure they maintain their access to the system in order to service the system when the customer has an issue or their lease is up and they need to prepare the system for the next user. Setting an end user role like "HostInterfaceAdministrator" as a restricted role does not seems like an appropriate setting.
|
|
|
|
Post by AMI_archerwen on Aug 5, 2022 7:57:03 GMT
Yes, the bootstrapping account created by the IPMI "Get Bootstrap Account Credentials" command will contain the role "HostInterfaceAdministrator".
We use this role for make sure BIOS data can be push to Redfish when host power on.
So you mean the "Restricted Roles" normally use for like "AD", "LDAP" account right?
And we should not set the role "HostInterfaceAdministrator" as a restricted role.
|
|
|
|
Post by mraineri on Aug 5, 2022 12:45:54 GMT
No, I don't necessarily mean that it's strictly tied to AD or LDAP. It's more for cases where ownership of a system is shared between two parties. For example, the "Contoso Server Farm Company" might lease equipment to customers. As part of the leasing agreement, their customers might have access to Redfish to perform system management. However, Contoso might need to ensure they still have access when the lease expires or other events take place. So, Contoso would have a restricted role that ensures they maintain access to the system. They likely have their own local admin account that's locked out and the customer is not able to access. I would not recommend using HostInterfaceAdministrator as a restricted role given the use case.
|
|
