ConfigureComponents

AMI_Mani
Tuna

AMI

Posts: 178

ConfigureComponents Apr 15, 2023 18:14:17 GMT

Quote

Post by AMI_Mani on Apr 15, 2023 18:14:17 GMT

Hi,
If i create a role with only AssignedPrivileges as ConfigureComponents only

"AssignedPrivileges": [

"ConfigureComponents"

]
Then create Account by assigning this roleid(ConfigureComponents only).
Is it possibe to use this account to get another administrator account instance(get /redfish/v1/AccountService/Accounts/10)
As per redfish.dmtf.org/registries/Redfish_1.3.0_PrivilegeRegistry.json
"Entity": "ManagerAccount",

"OperationMap": {

"GET": [

{

"Privilege": [

"ConfigureManager"

]

},

{

"Privilege": [

"ConfigureUsers"

]

},

{

"Privilege": [

"ConfigureSelf"

]

}

],

Since Role has created only with ConfigureComponents whether Login, ConfigureManager,ConfigureUsers, ConfigureSelf Privilege will be added to this role automatically, please confirm

Thanks,
Mani

mraineri
Administrator

Posts: 1,134

ConfigureComponents Apr 16, 2023 15:38:43 GMT

Quote

Post by mraineri on Apr 16, 2023 15:38:43 GMT

No, since the role only has "ConfigureComponents" and "ConfigureComponents" is not in the map for GET operations, it will not be able to access any ManagerAccount resources. I would not expect a service to insert additional privileges when creating the role, nor is there any language in the spec to indicate this type of behavior.

AMI_Mani
Tuna

AMI

Posts: 178

ConfigureComponents May 19, 2023 18:26:33 GMT

Quote

Post by AMI_Mani on May 19, 2023 18:26:33 GMT

Hi,

I got your point and it will not be able to access any ManagerAccount resources when configured with ConfigureComponents. But we have below definition for Action Info

"Entity": "ActionInfo",

"OperationMap": {

"GET": [

{

"Privilege": [

"Login"

]

}

],

"HEAD": [

{

"Privilege": [

"Login"

]

}

],

"PATCH": [

{

"Privilege": [

"ConfigureManager"

]

}

],

"PUT": [

{

"Privilege": [

"ConfigureManager"

]

}

],

"DELETE": [

{

"Privilege": [

"ConfigureManager"

]

}

],

"POST": [

{

"Privilege": [

"ConfigureManager"

]

}

]

}

}

Can we provide response of Actioninfo eventhough the user has role as ConfigureComponents only? Since this is providing response of Action and login was success, then showing the response may not break compliance. Please explain the scenario of creating a role with only AssignedPrivileges as ConfigureComponents only

"AssignedPrivileges": [

"ConfigureComponents"

]

Then create Account by assigning this roleid(ConfigureComponents only).

Is it possibe to use this account to get actioninfo resources(get /redfish/v1/Systems/Self/ResetActionInfo)

Thanks,
Mani

mraineri Administrator Posts: 1,134	ConfigureComponents May 20, 2023 14:38:52 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by mraineri on May 20, 2023 14:38:52 GMT No, ActionInfo requires "Login" for GET and HEAD operations, and requires "ConfigureManager" for other operations. A user with a role that just contains "ConfigureComponents" would not be able to perform any operations on an ActionInfo resource.
	Last Edit: May 22, 2023 18:23:03 GMT by mraineri

Post by AMI_Mani on Apr 15, 2023 18:14:17 GMT

Post by mraineri on Apr 16, 2023 15:38:43 GMT

Post by AMI_Mani on May 19, 2023 18:26:33 GMT

Post by mraineri on May 20, 2023 14:38:52 GMT