Description

This article describes that when using an admin profile with access to ALL services set to None except VPN, the SSL VPN Settings page on GUI is unable to load and gives the error 'Access Denied'.

Scope

FortiGate, Admin Profile.

Demonstration

For Example:

A user 'VPN' is applied with the Admin profile 'VPN' with only VPN Read/Write Access.

When the user 'VPN' tries to open the SSL- PN Settings on GUI, it is presented with an error 'Access Denied' even though the admin profile has Read/Write permission for VPN.

The following are the successful and failed API calls due to insufficient privileges for the user 'VPN'.

2023-09-22 13:01:59 [httpsd 5329 - 1695412919     info] handle_cli_req_v2[3445] -- new CMDB API request (vdom='root',user='vpn')

2023-09-22 13:01:59 [httpsd 5329 - 1695412919     info] __check_read_access_for_node_or_datasource[927] -- CMDB read access check passed for 'user.loc

al', because admin ('vpn') has write or read-write access for 'vpn.ssl.settings' (perm==3)

2023-09-22 13:01:59 [httpsd 5329 - 1695412919     info] fweb_debug_final[318] -- Completed GET request for "/api/v2/cmdb/user/local" (HTTP 200)

2023-09-22 13:01:59 [httpsd 5331 - 1695412919     info] handle_cli_req_v2[3445] -- new CMDB API request (vdom='root',user='vpn')

2023-09-22 13:01:59 [httpsd 5330 - 1695412919     info] __check_read_access_for_node_or_datasource[927] -- CMDB read access check passed for 'user.gro

up', because admin ('vpn') has write or read-write access for 'vpn.certificate.setting' (perm==3)
2023-09-22 13:01:59 [httpsd 5331 - 1695412919     info] fweb_debug_final[318] -- Completed GET request for "/api/v2/cmdb/vpn.ssl/settings" (HTTP 200)

2023-09-22 13:01:59 [httpsd 5331 - 1695412919     info] handle_cli_req_v2[3445] -- new CMDB API request (vdom='root',user='vpn')

2023-09-22 13:01:59 [httpsd 5331 - 1695412919    error] gui_chk_acc_perm_by_node[1015] -- CMDB permission check failed for 'system.ddns.' (perm==1, admin=='vpn')
2023-09-22 13:01:59 2023-09-22 13:01:59 [httpsd 5331 - 1695412919     info] fweb_debug_final[318] -- Completed GET request for "/api/v2/cmdb/system/ddns" (HTTP 403)

2023-09-22 13:01:59 [httpsd 5329 - 1695412919     info] handle_cli_req_v2[3445] -- new CMDB API request (vdom='root',user='vpn')

2023-09-22 13:01:59 [httpsd 5329 - 1695412919    error] gui_chk_acc_perm_by_node[1015] -- CMDB permission check failed for 'system.email-server.' (perm==1, admin=='vpn')
2023-09-22 13:01:59 [httpsd 5329 - 1695412919     info] fweb_debug_final[318] -- Completed GET request for "/api/v2/cmdb/system/email-server" (HTTP 403)

As seen in the above API calls, when the SSL VPN Settings page is loaded on the GUI, it makes a couple of API calls to resources in the system directory such as system.ddns and system.email-server.

Since the admin profile has None level access permissions to the System, the API calls fail thus causing the Access Denied error on the GUI.

Solution

From the admin account with super_admin access privileges, enable at least Read-only access permission to the System in the admin profile, this will allow the API calls to be successful and allow the SSL VPN settings page to be displayed.

Navigate to System -> Admin Profiles -> Edit Profile- > Set System to Read.

Custom-level access permissions can also be used to only allow the required part of the System. At least Configuration needs to be set to Read as shown below: