When using multiple VDOMs in the FortiGate configuration, there are two options to create an admin user that has the visibility of all VDOMs:
- A global admin account with read write (full) privileges . This is the default admin account profile (super_admin)
- A read only admin account, with a visibility on all VDOMs.
This article describes how to create the read only admin user with access to all VDOMs.
1) Create an admin profile with read only privileges from the CLI:
# config global
# config system accprofile
set admingrp read
set authgrp read
set endpoint-control-grp read
set fwgrp read
set loggrp read
set mntgrp read
set netgrp read
set routegrp read
set sysgrp read
set updategrp read
set utmgrp read
set vpngrp read
set wanoptgrp read
set wifi read
set scope global
By default, this admin profile option is configured with 'set scope vdom', which restricts the admin profiles VDOM visibility.
When this admin is created the interesting option is the 'set scope global' setting.
It has to be modified manually via CLI only in order to prevent accidental privileges for admin users.
This is not possible to see the 'Global' VDOM from GUI or CLI after login, even if the intention was to create an all access profile.
A global configuration change cannot be done unless either using a super_admin profile or changing the account profiles scope to 'global' from the CLI.
2) After the admin profile is created with the correct scope, create an admin user account and assign it the above created admin profile from the CLI:
# config global
# config system admin
set accprofile "admin_readonly"
1) Creating Admin Profile:
Login to the firewall as admin, select System, -> Admin Profiles, and then select Create new.
Name: Give Any name to the profile.
For all the access permissions select 'Read' mode, so that the concerned administrator will be able to view only, he will not be able to change any setting.
Permit use of CLI diagnostic commands:
If this option is enabled, Admins will be able to execute diagnostic commands in the FortiGate.
Here is the reference screenshot:
Select 'SAVE' button, the profile will be saved.
Now ti is necessary to create new administrator and attach this READ ONLY profile to that specific user.
2) Creating Administrator:
Select System -> Administrators and select Create New.
Fill in all the fields like name, and password, and then attach the newly created profile 'read only' to the admin user.
Refer to the below screenshot:
Now try to log in with this user, only read-only access will be available.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.