Configuring administrator accounts and access profiles
The Administrator submenu configures administrator accounts and access profiles.
This topic includes:
- About administrator account permissions and domains
- Configuring administrator accounts
- Configuring access profiles
About administrator account permissions and domains
Depending on the account that you use to log in to the FortiMail unit, you may not have complete access to all CLI commands or areas of the web UI.
Access profiles and domain assignments together control which commands and areas an administrator account can access. Permissions result from an interaction of the two.
The domain to which an administrator is assigned is one of:
The administrator can access areas regardless of whether an item pertains to the FortiMail unit itself or to a protected domain. Every administrator’s permissions are restricted only by their access profile.
The administrator can only access areas that are specifically assigned to that protected domain. With a few exceptions, the administrator cannot access system-wide settings, files or statistics, nor most settings that can affect other protected domains, regardless of whether access to those items would otherwise be allowed by the administrator’s access profile. The administrator cannot access the CLI, nor the basic mode of the web UI. (For more information on the display modes of the GUI, see “Basic mode versus advanced mode” on page 24.)
There are exceptions. Domain administrators can configure IP-based policies, the global black list, the global white list, the blacklist action, and the global Bayesian database. If you do not want to allow this, do not provide Read-Write permission to those categories in domain administrators’ access profiles.
Table 28:Areas of the GUI that domain administrators cannot access
Maintenance |
Monitor except for the Personal quarantine tab |
System except for the Administrator tab |
Mail Settings except for the domain, its subdomains, and associated domains |
User > User > PKI User |
Policy > Access Control > Receive
Policy > Access Control > Delivery |
Profile > Authentication |
AntiSpam except for AntiSpam > Bayesian > User and AntiSpam > Black/White List |
Email Archiving |
Log and Report |
Access profiles assign either read, read/write, or no access to each area of the FortiMail software. To view configurations, you must have read access. To make changes, you must have write access. For more information on configuring an administrator access profile, see “Configuring access profiles” on page 297.
Table 29:Areas of control in access profiles
Access control area name |
Grants access to
(For each config command, there is an equivalent get/show command, unless otherwise noted.
config access requires write permission. get/show access requires read permission.) |
In the web UI |
In the CLI |
Black/White List |
black-whit e-lis t |
Monitor > Endpoint Reputation > Auto Blacklist
Maintenance > AntiSpam > Black/White List Maintenance AntiSpam > Black/White List … |
N/A |
Quarantine |
quarantine |
Monitor > Quarantine …
AntiSpam > Quarantine > Quarantine Report
AntiSpam > Quarantine > System Quarantine Setting
AntiSpam > Quarantine > Control Account |
config antispam quarantine-report config mailsetting systemquarantine |
Policy |
policy |
Monitor > Mail Queue …
Monitor > Greylist …
Monitor > Sender Reputation > Display
Mail Settings > Domains > Domains
Mail Settings > Proxies > Proxies User > User …
Policy …
Profile …
AntiSpam > Greylist …
AntiSpam > Bounce Verification > Settings AntiSpam > Endpoint Reputation …
AntiSpam > Bayesian … |
config antispam greylist exempt config antispam bounce-verification key config antispam settings config domain
config mailsetting proxy-smtp config policy … config profile … config user … |
Table 29:Areas of control in access profiles
Archive |
archive |
Email Archiving
Monitor > Archive |
config archive |
Greylist |
greylist |
Monitor > Greylist …
AntiSpam > Greylist … |
config antispam greylist… get antispam greylist … |
Others |
others |
Monitor > System Status …
Monitor > Archive > Email Archives Monitor > Log …
Monitor > Report …
Maintenance … except the Black/White List Maintenance tab
System …
Mail Settings > Settings …
Mail Settings > Address Book > Address Book
User > User Alias > User Alias User > Address Map > Address Map Email Archiving …
Log and Report … |
config archive … config log …
config mailsetting relayserver config mailsetting storage config report config system … config user alias config user map diagnose … execute …
get system status |
About the “admin” account
Unlike other administrator accounts whose access profile is super_admin_prof and domain is System, the admin administrator account exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. Its name, permissions, and assignment to the System domain cannot be changed.
The admin administrator account always has full permission to view and change all FortiMail configuration options, including viewing and changing all other administrator accounts. It is the only administrator account that can reset another administrator’s password without having to enter the existing password. As such, it is the only account that can reset another administrator’s password if the existing password is unknown or forgotten. (Other administrators can change an administrator’s password if they know the current password.
About the “remote_wildcard” account
In previous FortiMail releases (older than v5.1), when you add remote RADIUS or LDAP accounts to FortiMail for account authentication purpose, you must add them one by one on FortiMail. Starting from FortiMail v5.1, you can use the wildcard to add RADIUS accounts (LDAP accounts will be supported in future releases) all at once.
To achieve this, you can enable the preconfigured “remote_wildcard” account and specify which RADIUS profile to use. Then every account on the RADIUS server will be able to log on to FortiMail.
To add all accounts on a RADIUS server to FortiMail
- Go to System > Administrator > Administrator.
- Double click the built-in “remote_wildcard” account.
- Configure the following and click OK.
GUI item |
Description |
Enable |
Select it to enable the wildcard account. |
Administrator |
The default name is remote_wildcard and it is not editable. |
Domain |
Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned.
For more information on protected domain assignments, see “About administrator account permissions and domains” on page 290.
Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI.
Note: If you enable domain override in the RADIUS profile, this setting will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain. For details, see “Configuring authentication profiles” on page 542. |
Access profile |
Select the name of an access profile that determines which functional areas the administrator account may view or affect.
Click New to create a new profile or Edit to modify the selected profile. For details, see “Configuring access profiles” on page 297.
Note: If you enable remote access override in the RADIUS profile, this access profile will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile. For details, see “Configuring authentication profiles” on page 542. |
Authentication type |
For the v5.1 release, only RADIUS is supported. For details, see “Configuring authentication profiles” on page 542. |
GUI item |
Description |
Trusted hosts |
Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts.
If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0.
Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0.
Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network.
Note: For information on restricting administrative access protocols that can be used by these hosts, see “Editing network interfaces” on page 248. |
Language |
Select this administrator account’s preference for the display language of the web UI. |
Theme |
Select this administrator account’s preference for the display theme or click Use Current to choose the theme currently in effect.
The administrator may switch the theme at any time during a session by clicking Next Theme. |
Configuring administrator accounts
The Administrator tab displays a list of the FortiMail unit’s administrator accounts and the trusted host IP addresses administrators use to log in (if configured).
By default, FortiMail units have a single administrator account, admin. For more granular control over administrative access, you can create additional administrator accounts that are restricted to a specific protected domain and with restricted permissions. For more information, see “About administrator account permissions and domains” on page 290.
Depending on the permission and assigned domain of your account, this list may not display all administrator accounts. For more information, see “About administrator account permissions and domains” on page 290.
If you configured a system quarantine administrator account, this account does not appear in the list of standard FortiMail administrator accounts. For more information on the system quarantine administrator account, see “Configuring the system quarantine administrator account and disk quota” on page 611.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Others category.
For details, see “About administrator account permissions and domains” on page 290.
To configure administrator accounts
- Go to System > Administrator > Administrator.
- Either click New to add an account or double-click an account to modify it.
A dialog appears.
Figure 121:New Administrator dialog
- Configure the following and then click Create:
GUI item |
Description |
Enable |
Select it to enable the new account. If disabled, the account will not be able to access FortiMail. |
Administrator |
Enter the name for this administrator account.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), hyphens ( – ), and underscores ( _ ). Other special characters and spaces are not allowed. |
Domain |
Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned.
For more information on protected domain assignments, see “About administrator account permissions and domains” on page 290.
Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI. |
Access profile |
Select the name of an access profile that determines which functional areas the administrator account may view or affect.
Click New to create a new profile or Edit to modify the selected profile.
For details, see “Configuring access profiles” on page 297. |
GUI item |
Description |
Authentication type |
Select the local or remote type of authentication that the administrator will use:
• Local
• RADIUS
• PKI
• LDAP
Note: RADIUS, LDAP and PKI authentication require that you first configure a RADIUS authentication profile, LDAP authentication profile, or PKI user. For more information, see “Configuring authentication profiles” on page 542 and “Configuring PKI authentication” on page 435. |
Password |
If you select Local as the authentication type, enter a secure password for this administrator account.
The password can contain any character except spaces.
This field does not appear if Authentication type is not Local or RADIUS+Local. |
Confirm password |
Enter this account’s password again to confirm it.
This field does not appear if Authentication type is not Local or RADIUS+Local. |
LDAP profile |
If you choose to use LDAP authentication, select an LDAP profile you want to use. |
RADIUS profile |
If you choose to use RADIUS or RADIUS + Local authentication, select a RADIUS profile you want to use. |
PKI profile |
If you choose to use PKI authentication, select a PKI profile you want to use. |
Trusted hosts |
Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts.
If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0.
Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0.
Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network.
Note: For information on restricting administrative access protocols that can be used by these hosts, see “Editing network interfaces” on page 248. |
GUI item |
Description |
Language |
Select this administrator account’s preference for the display language of the web UI. |
Theme |
Select this administrator account’s preference for the display theme or click Use Current to choose the theme currently in effect.
The administrator may switch the theme at any time during a session by clicking Next Theme. |