Technical Tip: Configure Remote user with Restricted Admin profile on FortiManager

Create 2 wildcard admin users:

1. One for a restricted admin profile
2. One for generic users

Sample configuration as below:

Fortimanager # show system admin user
config system admin user
    edit "Wildcard_1" ----> User 1
        set profileid "DB_IPS"
        set adom-access all
        set policy-package "all_policy_packages"
        set user_type tacacs-plus
        set tacacs-plus-server "fac"
            config meta-data
                edit "Contact Email"
            next
                edit "Contact Phone"
            next
        end
            set wildcard enable
            set ext-auth-accprofile-override enable
            set ext-auth-group-match "IPS_USER_GROUP" <----- Restricted admin profile.
        next

            edit "Wildcard_2" ----> User 2
                set profileid "No_Permission_User"
                set adom-access all
                set policy-package "all_policy_packages"
                set user_type tacacs-plus
                set tacacs-plus-server "fac"
                    config meta-data
                        edit "Contact Email"
                    next
                        edit "Contact Phone"
                    next
                end
                    set wildcard enable
                    set ext-auth-accprofile-override enable
                    set ext-auth-group-match "SUPER_USER_GROUP" <----- Generic User.
                next
            end

With the above setup, users mapped to the Restricted Admin get that profile, and a user who does not get picked up by the second wildcard user.