Managing administrator accounts – FortiAnalyzer – FortiOS 6.2.3

Managing administrator accounts

Go to System Settings > Admin > Administrator to view the list of administrators and manage administrator accounts.

Only administrators with the Super_User profile can see the complete administrators list. If you do not have certain viewing permissions, you will not see the administrator list. When ADOMs are enabled, administrators can only access the ADOMs they have permission to access.

The following options are available:

Create New Create a new administrator. See Creating administrators on page 224.
Edit Edit the selected administrator. See Editing administrators on page 227.
Clone Clone the selected administrator.
Delete Delete the selected administrator or administrators. See Deleting administrators on page 228.
Table View/Tile View Change the view of the administrator list.

Table view shows a list of the administrators in a table format. Tile view shows a separate card for each administrator in a grid pattern.

Column Settings Change the displayed columns.
Search Search the administrators.
Change Password Change the selected administrator’s password. This option is only available from the right-click menu. See Editing administrators on page 227.

The following information is shown:

Seq.# The sequence number.
Name The name the administrator uses to log in.
Type The user type, as well as if the administrator uses a wildcard.
Profile The profile applied to the administrator. See Administrator profiles on page 228
ADOMs The ADOMs the administrator has access to or is excluded from.
Comments Comments about the administrator account. This column is hidden by default.
Trusted IPv4 Hosts The IPv4 trusted host(s) associated with the administrator. See Trusted hosts on page 222.
Trusted IPv6 Hosts The IPv6 trusted host(s) associated with the administrator. See Trusted hosts on page 222. This column is hidden by default.
Contact Email The contact email associated with the administrator. This column is hidden by default.
Contact Phone The contact phone number associated with the administrator. This column is hidden by default.

Creating administrators

To create a new administrator account, you must be logged in to an account with sufficient privileges, or as a super user administrator.

You need the following information to create an account:

  • Which authentication method the administrator will use to log in to the FortiAnalyzer unit. Local, remote, and Public Key Infrastructure (PKI) authentication methods are supported.
  • What administrator profile the account will be assigned, or what system privileges the account requires. l If ADOMs are enabled, which ADOMs the administrator will require access to. l If using trusted hosts, the trusted host addresses and network masks.

To create a new administrator:

  1. Go to System Settings > Admin > Administrators.
  2. In the toolbar, click Create New to display the New Administrator
  3. Configure the following settings, and then click OK to create the new administrator.
User Name Enter the name of the administrator will use to log in.
Avatar Apply a custom image to the administrator.

Click Add Photo to select an image already loaded to the FortiAnalyzer, or to load an new image from the management computer.

If no image is selected, the avatar will use the first letter of the user name.

Comments Optionally, enter a description of the administrator, such as their role, location, or the reason for their account.
Admin Type Select the type of authentication the administrator will use when logging into the FortiAnalyzer unit. One of: LOCAL, RADIUS, LDAP, TACACS+, PKI, or Group. See Authentication on page 234 for more information.
Server or Group Select the RADIUS server, LDAP server, TACACS+ server, or group, as required.

The server must be configured prior to creating the new administrator.

This option is not available if the Admin Type is LOCAL or PKI.

 

Match all users on remote server Select this option to automatically add all users from a LDAP server specified in Admin>Remote Authentication Server. All users specified in the Distinguished Name field in the LDAP server will be added as FortiManager users with the selected Admin Profile.

If this option is not selected, the UserName specified must exactly match the LDAP user specified on the LDAP server.

This option is not available if the Admin Type is LOCAL or PKI.

Subject Enter a comment for the PKI administrator.

This option is only available if the Admin Type is PKI.

CA Select the CA certificate from the dropdown list.

This option is only available if the Admin Type is PKI.

Required two-factor authentication Select to enable two-factor authentication.

This option is only available if the Admin Type is PKI.

New Password Enter the password.

This option is not available if Wildcard is selected.

If the Admin Type is PKI, this option is only available when Require twofactorauthentication is selected.

If the Admin Type is RADIUS, LDAP, or TACACS+, the password is only used when the remote server is unreachable.

Confirm Password Enter the password again to confirm it.

This option is not available if Wildcard is selected.

If the Admin Type is PKI, this option is only available when Require twofactorauthentication is selected.

Force this administrator to change password upon next log on. Force the administrator to change their password the next time that they log in to the FortiAnalyzer.

This option is only available if Password Policy is enabled in Admin Settings.

See Password policy on page 244.

Admin Profile Select an administrator profile from the list. The profile selected determines

the administrator’s access to the FortiAnalyzer unit’s features. See Administrator profiles on page 228.

JSON API Access Select the permission for JSON API Access. Select Read-Write, Read, or None. The default is None.
Administrative Domain Choose the ADOMs this administrator will be able to access. l All ADOMs: The administrator can access all the ADOMs.

All ADOMs except specified ones: The administrator cannot access the selected ADOMs.

Specify: The administrator can access the selected ADOMs. Specifying the ADOM shows the Specify Device Group to Access check box. Select the Specify Device Group to Access check box and select the Device Group this administrator is allowed to access. The newly created administrator will only be able to access the devices within the Device Group and sub-groups.

  If the Admin Profile is Super_User, then this setting is All ADOMs.

This field is available only if ADOMs are enabled. See Administrative Domains on page 176.

Trusted Hosts Optionally, turn on trusted hosts, then enter their IP addresses and netmasks. Up to ten IPv4 and ten IPv6 hosts can be added.

See Trusted hosts on page 222 for more information.

Meta Fields Optionally, enter the new administrator’s email address and phone number.
Advanced Options Configure advanced options, see Advanced options below.

For more information on advanced options, see the FortiAnalyzerCLI Reference.

Advanced options

Option Description Default
change-password Enable or Disable changing password. disable
ext-auth-accprofileoverride Enable or Disable overriding the account profile by administrators configured on a Remote Authentication Server. disable
ext-auth-adom-override Enable or Disable overriding the ADOM by administrators configured on a Remote Authentication Server. disable
ext-auth-group-match Specify the group configured on a Remote Authentication Server.
first-name Specify the first name.
last-name Specify the last name.
mobile-number Specify the mobile number.
pager-number Specify the pager number.
restrict-access Enable or Disable restricted access. disable

Editing administrators

To edit an administrator, you must be logged in as a super user administrator. The administrator’s name cannot be edited. An administrator’s password can be changed using the right-click menu, if the password is not a wildcard.

To edit an administrator:

  1. Go to System Settings > Admin > Administrators.
  2. Double-click on an administrator, right-click on an administrator and then select Edit from the menu, or select the administrator then click Edit in the toolbar. The Edit Administrator pane opens.
  3. Edit the settings as required, and then select OK to apply the changes.

To change an administrator’s password:

  1. Go to System Settings > Admin > Administrators.
  2. Right-click on an administrator and select Change Password from the menu. The Change Password dialog box opens.
  3. If you are editing the admin administrator’s password, enter the old password in the Old Password
  4. Enter the new password for the administrator in the New Password and Confirm Password
  5. Select OK to change the administrator’s password.

Deleting administrators

To delete an administrator or administrators, you must be logged in as a super user administrator.

  1. Go to System Settings > Admin > Administrators.
  2. Select the administrator or administrators you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Select OK in the confirmation box to delete the administrator or administrators.

To delete an administrator using the CLI:

  1. Open a CLI console and enter the following command:

config system admin user delete <username>

end

This entry was posted in Administration Guides, FortiAnalyzer, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.