FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
This article describes a workaround for configuring the Restricted Admin profile for a remotely authenticated user, as FortiManager does not support a remote user with an override profile of the Restricted Admin profile.
Scope
FortiManager.
Solution
Create 2 wildcard admin users:
One for a restricted admin profile
One for generic users
Sample configuration as below:
Fortimanager # show system admin user config system admin user edit "Wildcard_1" ----> User 1 set profileid "DB_IPS" set adom-access all set policy-package "all_policy_packages" set user_type tacacs-plus set tacacs-plus-server "fac" config meta-data edit "Contact Email" next edit "Contact Phone" next end set wildcard enable set ext-auth-accprofile-override enable set ext-auth-group-match "IPS_USER_GROUP" <----- Restricted admin profile. next
edit "Wildcard_2" ----> User 2 set profileid "No_Permission_User" set adom-access all set policy-package "all_policy_packages" set user_type tacacs-plus set tacacs-plus-server "fac" config meta-data edit "Contact Email" next edit "Contact Phone" next end set wildcard enable set ext-auth-accprofile-override enable set ext-auth-group-match "SUPER_USER_GROUP" <----- Generic User. next end
With the above setup, users mapped to the Restricted Admin get that profile, and a user who does not get picked up by the second wildcard user.
