If the only admin account that can only login to the FortiGate has only a prof_admin profile assigned, the following steps can be performed to recover the admin account with a super_admin profile.

Note:

This procedure does not apply if multi-VDOM is enabled.

• Log in to the FortiGate with a user that has the admin profile 'prof_admin'.
• Go to System -> Admin profile. 

  • The super_admin profile should have more than one reference. After selecting the references, two different types of system admins will be shown:

    • Single Sign-On Administrator: fabric-admin

    • System Administrator: admin.

     

• If super_admin is referenced with Single Sign-On Administrator, it is possible to use the FortiCare Account SSO to access FortiGate with the super_admin profile.

• Go to System -> Settings and enable the FortiCloud SSO option.
  

  For v7.4 and later:

• For v7.0 and below:

• Once the SSO option is enabled, log in to the FortiGate by selecting Sign in with FortiCloud.

• The FortiCloud SSO user has a super_admin profile by default.

To check whether the admin FortiCloud SSO is enabled from the CLI and what profile it has been assigned to:

preve-kvm35 # show full system global | grep forticloud
    set admin-forticloud-sso-default-profile ''
    set admin-forticloud-sso-login enable

Related documents:

Technical Tip: Reset another super admin’s password (Lost/Forgotten)

Allow the FortiGate to override FortiCloud SSO administrator user permissions 7.2.4

Technical Tip: Resetting a lost admin password