|
Previously, an admin with 'cfg read-write' and 'cli-config enable' privileges could disable private-data-encryption. However, this action is now restricted to super_admin users only from FortiOS 7.6.1.
The below example shows a 'test' user associated with the 'prof_admin' profile is unable to disable private-data-encryption.
show system admin
config system admin
edit "test"
set accprofile "prof_admin" <-
set vdom "root"
set password ENC xxx
next
end
By default, private data encryption is disabled.
show system global
config system global
set alias "FortiGate"
set gui-auto-upgrade-setup-warning disable
set hostname "FortiGate"
set private-data-encryption enable <-
set switch-controller enable
set timezone "US/Pacific"
end
The example below demonstrates that non-admin users cannot disable private data encryption.
config system global
set private-data-encryption disable
end
Only super_admin can disable private-data-encryption!
attribute set operator error, -37, discard the setting
Command fail. Return code -37
However, a super admin user is able to enable/disable private data encryption only.
show system admin
config system admin
edit "admin"
set accprofile "super_admin"
set vdom "root"
set password ENC xxx
next
end
config system global
set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef
Your private data encryption key is accepted.
config system global
set private-data-encryption disable
end
|
