Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
MartiskaM
Staff
Staff

Created on ‎11-11-2022 03:19 AM Edited on ‎02-05-2024 08:00 AM By Moderator

Article Id 229589

Troubleshooting Tip: Deleting users and user groups with incorrect device level reference

Description

 

This article describes how to delete ADOM-level user and user group objects, incorrectly referenced in a device-level database of FortiManager.

Such state may occur due to mishandling of the object reference in some older FortiManager versions and applies to the following ADOM database objects when used as administrators in one or more managed FortiGates:

  • user (Local or remote users).
  • user group (User groups).
  • user radius (RADIUS servers).
  • user ldap (LDAP servers).
  • user peergrp (PKI user groups).


Scope

 

FortiManager versions 6.x and 7.x

Solution

 

Important:

When using workspace mode, remember to lock the ADOM before making changes and to use the 'Save' button when done.

 

How to identify the issue:

On an attempt to delete an affected object from the Object Configurations GUI, FortiManager returns a message, stating that 'The following objects are currently referenced by other policies or objects'.

 

MartiskaM_0-1668161163515.png

 

However, the 'Where Used' feature shows no reference or a reference to its name in a policy package that may or may not exist.

 

MartiskaM_1-1668161163521.png

 

Verify if the object has a 'scope' set/enabled by running the following command in the FortiManager CLI (use '?' after each space in order to print the available options):

 

execute fmpolicy print-adom-object <ADOM> <table> <object>

 

Example:

 

exe fmpolicy print-adom-object "root" "user group" "USR_GRP_INTERSEC"

 

Similar output should be printed (after 5-30 seconds depending on the db size):

 

Dump object [USR_GRP_INTERSEC] of category [user group] in adom [root]:
---------------
config user group
    edit "USR_GRP_INTERSEC"
        set member "aaa"

        set _limit_scope enable <-- (may also be set _scope ...)
    next

end

 

If the unused object has no scope set, but still can't be deleted, then the problem might be elsewhere. Contact Fortinet Technical Support for further assistance.

 

 

How to fix the incorrect reference:

Since the scope flags are not available in GUI, the invalid reference needs to be removed via CLI script, ran on 'Policy Package or ADOM Database':

 

config user group
    edit "USR_GRP_INTERSEC"
        set _limit_scope disable
        unset _scope
    next
end

 

iyotov_1-1672767859090.png

 

Run the script:

 

iyotov_2-1672768130621.png

 

When running this script, the Policy Package selection is irrelevant, since the object is not part of a package. However, the next step requires a package to be selected. Select any available package and run the script.

 

iyotov_4-1672768395492.png

 

After removing the scope, the object can be deleted completely from Object Configurations, or by another script, like:

 

config user group

delete USR_GRP_INTERSEC

end

 

Note:

When using workspace mode, after running each CLI script, go back to the main Device Manager page and use the red 'Save' button to apply the change to the database.

2078
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.