FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Markus_M
Staff
Staff

Description
When using multiple VDOMs in the FortiGate configuration, there are two options to create an admin user that has the visibility of all VDOMs:

- A global admin account with read write (full) privileges . This is the default admin account profile (super_admin)
- A read only admin account, with a visibility on all VDOMs.

This article describes how to create the read only admin user with access to all VDOMs.
Solution
1) Create an admin profile with read only privileges from the CLI:

# config global
# config system accprofile

    edit "admin_readonly"
        set admingrp read
        set authgrp read
        set endpoint-control-grp read
        set fwgrp read
        set loggrp read
        set mntgrp read
        set netgrp read
        set routegrp read
        set sysgrp read
        set updategrp read
        set utmgrp read
        set vpngrp read
        set wanoptgrp read
        set wifi read
        set scope global
    next
end

By default, this admin profile option is configured with 'set scope vdom', which restricts the admin profiles VDOM visibility.
When this admin is created
the interesting option is the 'set scope global' setting.
It has to be modified manually via CLI only in order to prevent accidental privileges for admin users.


This is not possible to  see the 'Global' VDOM from GUI or CLI after login, even if the intention was to create an all access profile.
A global configuration change cannot be done unless either using a super_admin profile or changing the account profiles scope to 'global' from the CLI.

2) After the admin profile is created with the correct scope, create an admin user account and assign it the above created admin profile from the CLI:

# config global
# config system admin

    edit "admin_read"
        set accprofile "admin_readonly"
    next
end

 

Contributors