We facing the issue that Operator user can login to WebUI and start Firmware update.
Steps to reproduce the behavior:
1.Create a new user usertest from WebUI with Operator privilege. 2.Login to WebUI via usertest. 3.Click on Operators -> Firmware. In Update firmware -> Image file, click Add file to select new firmware. Then select Start update to start update process. 4.New firmware is uploaded and then update process start. After complete, the BMC boots with new firmware
Based on the the DMTF registries, the UpdateService's POST method has 'ConfigureComponents' privilege. Reference Table 41 — Required standard roles in the redfish specification, which specifies Operator should have ConfigureComponents privilege. That why Operator user can login to WebUI and start Firmware update.
Expect that only Administrator user can flash the firmware? For the UpdateService, need to change privilege to ConfigureManager?
I think at the time we were considering that operators could apply updates to components in a system. But I'm second guessing that reasoning now; I tend to think of an administrator as the one to decide when components are updated. I can raise this for others to discuss.
But in the meantime, you're certainly allowed to modify the privilege registry to meet your implementation's needs; there's no requirement to use the DMTF-published privilege registry as-is.
The forum thinks the registry is correct as-is. We still see there's the possibility that Operators could perform updates on a limited set of devices in some products. However, you have no requirement to use the registry as-is from DMTF; you're free to add your own changes to it to map it to your product.