Troubleshooting Tip: Unable add/modify user when using custom admin profiles

Description

This article describes how to allow a custom admin profile to add/edit other admin users.

Without the admin profile setting described below, the admin user options are disabled (greyed out) even for the system administrators with full read-write access.

Scope

FortiManager/FortiAnalyzer.

Solution

Once the custom admin profile is created with full read-write access is created, the option 'super-user-profile' can be enabled via the CLI. This must be done by the default 'admin' or another administrator having the default 'Super_User' admin profile.

config system admin profile

    edit <admin-profile-name>

        set super-user-profile enable  <- Disabled by default.

    next

end

Example:

FAFM1 # config system admin profile

 (profile)# edit super_user

 (super_user)# set super-user-profile enable

 (super_user)# end
Profile must have full read-write privileges before super-user-profile can be enabled.
Required permissions will now be escalated.
Do you want to continue? (y/n)y

FAFM1 #

With this option enabled, log in again with the custom super user (in this example, 'user2' having profile 'super_user').

Now all admin features are enabled.