Description
This article describes how to delete ADOM-level user and user group objects, incorrectly referenced in a device-level database of FortiManager.
Such state may occur due to mishandling of the object reference in some older FortiManager versions and applies to the following ADOM database objects when used as administrators in one or more managed FortiGates:
- user (Local or remote users).
- user group (User groups).
- user radius (RADIUS servers).
- user ldap (LDAP servers).
- user peergrp (PKI user groups).
Scope
FortiManager versions 6.x and 7.x
Solution
Important:
When using workspace mode, remember to lock the ADOM before making changes and to use the 'Save' button when done.
How to identify the issue:
On an attempt to delete an affected object from the Object Configurations GUI, FortiManager returns a message, stating that 'The following objects are currently referenced by other policies or objects'.
However, the 'Where Used' feature shows no reference or a reference to its name in a policy package that may or may not exist.
Verify if the object has a 'scope' set/enabled by running the following command in the FortiManager CLI (use '?' after each space in order to print the available options):
execute fmpolicy print-adom-object <ADOM> <table> <object>
Example:
exe fmpolicy print-adom-object "root" "user group" "USR_GRP_INTERSEC"
Similar output should be printed (after 5-30 seconds depending on the db size):
Dump object [USR_GRP_INTERSEC] of category [user group] in adom [root]:
---------------
config user group
edit "USR_GRP_INTERSEC"
set member "aaa"
set _limit_scope enable <-- (may also be set _scope ...)
next
end
If the unused object has no scope set, but still can't be deleted, then the problem might be elsewhere. Contact Fortinet Technical Support for further assistance.
How to fix the incorrect reference:
Since the scope flags are not available in GUI, the invalid reference needs to be removed via CLI script, ran on 'Policy Package or ADOM Database':
config user group
edit "USR_GRP_INTERSEC"
set _limit_scope disable
unset _scope
next
end
Run the script:
When running this script, the Policy Package selection is irrelevant, since the object is not part of a package. However, the next step requires a package to be selected. Select any available package and run the script.
After removing the scope, the object can be deleted completely from Object Configurations, or by another script, like:
config user group
delete USR_GRP_INTERSEC
end
Note:
When using workspace mode, after running each CLI script, go back to the main Device Manager page and use the red 'Save' button to apply the change to the database.