Description

This article describes how to eliminate the error 'Access Denied' after specifying a role for the user.

Scope

FortiPAM.

Solution

Required permission to read the secret-table is to be given for a specific role.

Step 1:

In this example, the user 'Tom' is mapped to the role named 'ROLE_DEFAULT_SUPPLIER', user is added as a 'customized User' to add the intended roles.

Config in CLI:

config system admin

    edit "Tom"
        set remote-auth enable
        set accprofile "ROLE_DEFAULT_SUPPLIER"
            config gui-dashboard
                edit 1
                    set name "Status"
                    set permanent enable
                next

GUI:

Step 2:

Required Permissions can be edited as per preference by navigating to User Management -> Role -> Edit the required role.

The only requirement when the user is used for logging in and accessing the required secrets, the user should have the permission to read the secret table. 

If 'set secret-table read' is missing error 'Access denied' is noticed.

Config in CLI:

config system accprofile

    edit "ROLE_DEFAULT_SUPPLIER"
        set ftviewgrp read-write
        set authgrp custom
        set vpngrp read
        set secretgrp custom
        set file-launcher-perm disable
        set secret-proxy-mode allow-non-proxy
            config secretgrp-permission
                set request read-write
                set folder-table read
                set secret-table read <--
            end
    next
end