Technical Tip: How to give Full Admin Access for specific VDOM for the specific user
Description
This article describes how to configure the specific user for the specific VDOM. When the user tries to access the FortiGate GUI, only the specific VDOM will be visible.
Scope
FortiGate.
Solution
Follow the below steps to create the VDOM.
To enable VDOM configuration:
- Log in with a super_admin account.
- Navigate to the System ->Settings -> Under System Operation Settings -> Enable Virtual Domain.
To enable VDOM configuration, CLI:
config system global
set vdom-admin enable
end
Once enable the VDOM, create an administrator account and add the VDOM to the full access account.
Example:
- Create an admin profile for read/write access 'Superfull access.'.
- Add on the Administrator account with Administrator profile 'Superfull access' and Virtual Domains 'Locl.'.
-
Once saved the configuration.
-
If FortiGate has another WAN interface or ISP connection for GUI access.
First, disable the interface and move the interface from root VDOM to specific VDOM 'Locl.'.
FortiGate v6.4.16 or below:
From GUI, change the interface from root VDOM to another specific VDOM.
From v7.2.0 or above.
From CLI, it is only necessary to change the VDOM:
config System interface
edit <Interface name> --> ISP connection or intercommunication for GUI access.
set vdom "Locl.". --> Default interface will take root VDOM, it is manually needed to change from root to specific VDOM.
end
Now, make the interface enabled, and try to access it with the Specific User admin account 'test.'.
Now, accessing with another ISP IP address for GUI access, and only a specific VDOM will be visible for a specific user admin account.
Note:
If the FortiGate communicates with the FortiManager, then configuration needs to be done on the Manager end, and if it imports to the FortiGate, then it will work fine.
If directly configured on the FortiGate, it will conflict with FortiManager and provide only read-only access for the specific user for Specific VDOM.