Technical Tip: 'Access Denied', unable to launch secrets after a role is assigned
Description
This article describes how to eliminate the error 'Access Denied' after specifying a role for the user.
Scope
FortiPAM.
Solution
Required permission to read the secret-table is to be given for a specific role.
Step 1:
In this example, the user 'Tom' is mapped to the role named 'ROLE_DEFAULT_SUPPLIER', user is added as a 'customized User' to add the intended roles.
Config in CLI:
config system admin
edit "Tom"
set remote-auth enable
set accprofile "ROLE_DEFAULT_SUPPLIER"
config gui-dashboard
edit 1
set name "Status"
set permanent enable
next
GUI:
Step 2:
Required Permissions can be edited as per preference by navigating to User Management -> Role -> Edit the required role.
The only requirement when the user is used for logging in and accessing the required secrets, the user should have the permission to read the secret table.
If 'set secret-table read' is missing error 'Access denied' is noticed.
Config in CLI:
config system accprofile
edit "ROLE_DEFAULT_SUPPLIER"
set ftviewgrp read-write
set authgrp custom
set vpngrp read
set secretgrp custom
set file-launcher-perm disable
set secret-proxy-mode allow-non-proxy
config secretgrp-permission
set request read-write
set folder-table read
set secret-table read <--
end
next
end
Related articles: