Restricted Administrator Profiles – FortiManager 5.2

Restricted Administrator Profiles

In v5.2.0 or later, you can configure restricted administrator profiles. The restricted profile is used by the restricted administrator account. You can use restricted administrator accounts to provide delegated management of Web Filter profiles, Application Sensors, and Intrusion Protection System (IPS) Sensors for a specific ADOM. These restricted administrators can view, edit, and install changes to their ADOM.

To create a custom restricted administrator profile:

  1. Go to System Settings > Admin > Profile and select Create New in the toolbar. The Create Profile dialog box appears.

Create new administrator profile

  1. Configure the following settings:
Profile Name Type a name for this profile.
Description Type a description for this profile. While not a requirement, a description can help to know what the profiles is for or the levels it is set to.
Type Select Restricted Admin.
Permission Select to enable permission.
Web Filter Profile Select to enable the web filter profile permission.
Application Sensor Select to enable the application sensor permission.
IPS Sensor Select to enable the IPS sensor permission.
  1. Select OK to save the new restricted administrator profile.

Restricted administrator accounts                                                                             Restricted Administrator Profiles

Restricted administrator accounts

Once you have configured the new restricted administrator profile, you can create a new restricted administrator account and apply the profile to the administrator account.

To create a new restricted administrator account:

  1. Go to System Settings > Admin > Administrator and select Create New in the toolbar. The New Administrator page is displayed.

Creating a new administrator account

  1. Configure the following settings:
User Name Type the name that this administrator uses to log in. This field is available if you are creating a new administrator account.
Description Optionally, type a description of this administrator’s role, location or reason for their account. This field adds an easy reference for the administrator account.

(Character limit = 127)

Administration Guide                                                                                                                                       155

Fortinet Technologies Inc.

Restricted Administrator Profiles                                                                             Restricted administrator accounts

Type Select the type of authentication the administrator will use when logging into the device.

Select one of the following: LOCAL, RADIUS, LDAP, TACACS+, or PKI.

RADIUS Server Select the RADIUS server from the drop-down menu.

This field is only available when Type is set to RADIUS.

LDAP Server Select the LDAP server from the drop-down menu.

This field is only available when Type is set to LDAP.

TACACS+ Server Select the TACACS+ server from the drop-down menu.

This field is only available when Type is set to TACACS+.

Wildcard Select to enable wildcard.

This field is only available when Type is set to RADIUS, LDAP, or TACACS+.

Subject Type a comment in the subject field for the PKI administrator. This field is only available when Type is set to PKI.
CA Select the CA from the drop-down menu.

This field is only available when Type is set to PKI.

Require two-factor authentication Select to enable two-factor authentication.

This field is only available when Type is set to PKI.

New Password Type the password.

This field is only available when Type is set to LOCAL, RADIUS, LDAP, TACACS+, or PKI.

Confirm Password Type the password again to confirm it. The passwords must match. This field is only available when Type is set to LOCAL, RADIUS, LDAP, TACACS+, or PKI.
Admin Profile Select a restricted administrator profile from the drop-down menu. The profile selected determines the administrator’s access to the FortiManager unit’s features.To create a new profile see To create a custom restricted administrator profile:.
Administrative Domain Choose the ADOMs this administrator will be able to access. This field is only available if ADOMs are enabled.
Web Filter Profile Select the web filter profile that the administrator will have access to. Select the add icon to add multiple Web Filter profiles.
Application Sensor Select the Application Sensor that the administrator will have access to. Select the add icon to add multiple Application Sensors.
IPS Sensor Select the IPS Sensor that the administrator will have access to. Select the add icon to add multiple IPS Sensors.

FortiManager portal                                                                                                Restricted Administrator Profiles

Trusted Host Optionally, type the trusted host IPv4 or IPv6 address and netmask that the administrator can log in to the FortiManager unit from. Select the add icon to add trusted hosts. You can specify up to ten trusted hosts.

Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts.

User Information (optional)  
Contact Email Type a contact email address for the new administrator. This email address is also used for workflow session approval email notifications.
Contact Phone Type a contact phone number for the new administrator.
  1. Select OK to create the new restricted administrator account.

FortiManager portal

When the restricted administrator logs into the FortiManager, they have access to the security profiles that are configured for the account.

Restricted administrator portal

The following options are available:

Install icon Select to install changes to the ADOM.

Administration Guide                                                                                                                                       157

Fortinet Technologies Inc.

Restricted Administrator Profiles                                                                                                FortiManager portal

Change Password icon Select the change password icon in the toolbar to change your account password. A Change Password dialog box is displayed. Type your old password, the new password, confirm the password, and select OK to save the new password. This option must be enabled via the CLI.
Help icon Select the help icon in the toolbar to load the FortiManager online help. The online help will be loaded in a new browser window.
Log Out icon Select the log out icon to log out of FortiManager.
Web Filter Profile When the Web Filter Profile permission is enabled in the restricted administrator profile, this menu will be displayed. The Web Filter Profile selected in the restricted administrator account will be listed. For information on configuring the Web Filter profile, see the FortiOS documentation for the firmware version of the ADOM. The options will vary based on the ADOM version.
IPS Sensor When the IPS Sensor permission is enabled in the restricted administrator profile, this menu will be displayed. The IPS Sensor selected in the restricted administrator account will be listed. For information on configuring the IPS sensor, see the FortiOS documentation for the firmware version of the ADOM.

The options will vary based on the ADOM version.

Application Sensor When the Application Sensor permission is enabled in the restricted administrator profile, this menu will be displayed. The application sensor selected in the restricted administrator account will be listed. For information on configuring the Application Sensor, see the FortiOS documentation for the firmware version of the ADOM. The options will vary based on the ADOM version.

To enable the restricted user to change their own password:

Log into the device command line interface and enter the following CLI command:

config system admin profile edit <restricted_admin_profile> set change-password enable

end

When the restricted administrator logs into their ADOM, the change password icon is displayed in the toolbar.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiManager and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.