Oem AccountService

jane
Minnow

Posts: 4

Oem AccountService Aug 18, 2022 11:54:48 GMT

Quote

Post by jane on Aug 18, 2022 11:54:48 GMT

Hello,
In other thread I saw discussion about accounts and groups property there. redfishforum.com/thread/219/account-groups-property
I also need an ability to create and manage groups.
In addtion, I noticed that ManagerAccount, Roles, etc. schemas doesn't meet other requirements for my system.
Would it be correct to not use AccountService and related entities at all and create OemAccountService, OemManagerAccount, etc?

mraineri
Administrator

Posts: 1,049

Oem AccountService Aug 18, 2022 12:32:45 GMT

Quote

Post by mraineri on Aug 18, 2022 12:32:45 GMT

If there are functions you need to expose that are not part of the standard, but they are common concepts that you think might be applicable beyond your product, it may be worth proposing the additions here so we can discuss them in the working group to see if there's a chance they can be standardized.

However, in the meantime, you'd need to use OEM extensions. I wouldn't create OEM variants of the AccountService and ManagerAccount resources, but rather use the "Oem" object inside of those resources to extend it as you need. For example, for the AccountService resource:

{
    "@odata.id": "/redfish/v1/AccountService",
    "@odata.type": "#AccountService.v1_11_0.AccountService",
    "Id": "AccountService",
    "Name": "Account Service",
    "Accounts": {
        "@odata.id": "/redfish/v1/AccountService/Accounts"
    },
    "Roles": {
        "@odata.id": "/redfish/v1/AccountService/Roles"
    },
    ... <Other standard properties>
    "Oem": {
        "<My company name>": {
            "@odata.type": "#<My company name>AccountService.v1_0_0.AccountService",
            <OEM extensions for the account service>
        }
    }
}

Last Edit: Aug 18, 2022 12:33:02 GMT by mraineri

jane
Minnow

Posts: 4

Oem AccountService Aug 18, 2022 12:51:38 GMT

Quote

Post by jane on Aug 18, 2022 12:51:38 GMT

ManagerAccount has requirement for properties:
"requiredOnCreate": [
"Password",
"UserName",
"RoleId"
]

But I can't use RoleId, because in my case user doesn't have Role. In my case user is in some group/groups and that group defines users privileges.

The same thing with ldap-users and groups. They should be added/removed to/from local groups.

michaeldu Minnow Posts: 23	Oem AccountService Aug 23, 2022 3:02:45 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by michaeldu on Aug 23, 2022 3:02:45 GMT I think you may use group as the RoleId. From your description, the group defines users privileges, the RoleId does the same.

mraineri
Administrator

Posts: 1,049

Oem AccountService Aug 23, 2022 13:09:32 GMT

Quote

Post by mraineri on Aug 23, 2022 13:09:32 GMT

Aug 23, 2022 3:02:45 GMT michaeldu said:

I think you may use group as the RoleId. From your description, the group defines users privileges, the RoleId does the same.

That's a good approach; this keeps client expectations for properties required on create.

Post by jane on Aug 18, 2022 11:54:48 GMT

Post by mraineri on Aug 18, 2022 12:32:45 GMT

Post by jane on Aug 18, 2022 12:51:38 GMT

Post by michaeldu on Aug 23, 2022 3:02:45 GMT

Post by mraineri on Aug 23, 2022 13:09:32 GMT