Fortigate: Custom admin profile does not work

does the user connect to a management ip from vdom DATA or root ?

is the FGT itself managed by FortiManager or FortiGate Cloud?

Hi @Anonymous_User ,

Is the account "net-admin" a local one or a remote one (I mean, authenticated via LDAP, Radius, TACACS+, and so on)? 

I created below admin profile and used it with a test admin account in my multi-vdom environment. But it works as I/you expected. Mine is 7.4.7. It might be a bug in 7.4.5. Open a ticket at TAC and ask them if it's a bug, which was fixed in either 7.4.6 or 7.4.7.

config system accprofile
  edit "test_admin"
    set secfabgrp read
    set ftviewgrp read
    set authgrp read
    set sysgrp read
    set netgrp read-write
    set loggrp read
    set fwgrp read
    set vpngrp read
    set utmgrp read
    set wifi read
    set cli-get enable
    set cli-show enable
  next
end
config system admin
  edit "test_admin"
    set accprofile "test_admin"
    set comments "test admin"
    set vdom "root" "test-vdom"
    set password ENC [password_hash]
  next
end

Toshi

Hello all, thank you for your answers

@funkylicious 

does the user connect to a management ip from vdom DATA or root ?

-> The management IP ist configured on the root VDOM

is the FGT itself managed by FortiManager or FortiGate Cloud?

-> Yes, it is managed by Fortimanager

@dingjerry_FTNT 

Is the account "net-admin" a local one or a remote one (I mean, authenticated via LDAP, Radius, TACACS+, and so on)? 

-> Originally it is a RADIUS account, but I last tested it as a local user without RADIUS as mentioned with the shared configuration.

Please notice, that the RW access ist possible, when the user is linked to the super_admin profile, but do not get any RW access, when he is linked to the custom profile.

@Toshi_Esumi 

Thank you for your test. I will clarify whether an upgrade is possible in the short term and test again

Hello,

I had the same problem and the knowledge base article below helped me solve it.

In my case, the FortiGate was being managed by FortiManager, and for that reason, administrator accounts created with custom read/write administrative profiles were not behaving as expected.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Custom-admin-profiles-show-read-only-access-on/ta-p/228076

netgrp read-write alone is not enough for GUI write access.
With your profile, sysgrp is only read, so FortiGate treats the admin as effectively read-only for login purposes. That is why the user only sees "Login Read-Only" or "Log Out".

This is especially true if the FortiGate is managed by FortiManager. In that case, Fortinet documents that a custom profile must also have System write permission, otherwise the admin is forced into read-only mode even if other groups are set to read-write. (Fortinet Community)

What is wrong in your config

You currently have:

set sysgrp read set netgrp read-write

That is the issue.

What to change

You need either:

config system accprofile     edit "net_admin"         set sysgrp read-write         set netgrp read-write     next end

Or, if you do not want full system write access, use custom system permissions and grant at least Configuration = read-write. Fortinet states that this is the minimum required permission for custom profiles to log in with write access. (Fortinet Community)

Example:

config system accprofile     edit "net_admin"         set sysgrp custom         config sysgrp-permission             set cfg read-write         end         set netgrp read-write         set secfabgrp read         set ftviewgrp read         set authgrp read         set loggrp read         set fwgrp read         set vpngrp read         set utmgrp read         set wanoptgrp read         set wifi read         set cli-get enable         set cli-show enable     next end

Important reality check

If the requirement is strictly:

• mostly read-only

• but allow interface enable/disable

then FortiGate admin profiles are not very granular here. Giving the necessary system/config write permission may open more than just interface toggling. Fortinet explicitly points out that sysgrp write access includes broader system areas unless you restrict it with sysgrp custom. (Fortinet Community)

My recommendation
If the FortiGate is FortiManager-managed: do the change in FortiManager, not locally, otherwise you are fighting intended behaviour. (Fortinet Community)

Set sysgrp custom with cfg read-write

Keep netgrp read-write

Test again

So the direct answer is:

Nothing is wrong with the user account. Your custom admin profile lacks the minimum System write permission required for read-write login.

If you want, I can give you a clean minimal profile that allows interface admin changes with the smallest possible write scope.