Hello,
On my Fortigate 100F I would like to create an admin user with following profiles:
- Able to change the admin users password
- Able to update the SSH key of users
But I didn't find the possibilities to do in system/admin profiles.
Thanks.
Solved! Go to Solution.
For password changes you will need a super_admin profile. Lower permissions do not have rights to set passwords for other admins.
For setting SSH keys, it seems like membership in "prof_admin" is enough. I was not able to distill this further into specific permissions. "System" alone is not good enough.
But be aware that non-super_admin accounts cannot edit, nor even see at all, the configs of super_admin accounts. So for full control of passwords and SSH keys of ALL other admin accounts, the account must be a super_admin.
For password changes you will need a super_admin profile. Lower permissions do not have rights to set passwords for other admins.
For setting SSH keys, it seems like membership in "prof_admin" is enough. I was not able to distill this further into specific permissions. "System" alone is not good enough.
But be aware that non-super_admin accounts cannot edit, nor even see at all, the configs of super_admin accounts. So for full control of passwords and SSH keys of ALL other admin accounts, the account must be a super_admin.
Hello,
Thank you for your quick answer. Are there any alternative solutions besides using super_admin profile ? I am afraid our Cyber team won't accept it.
eg. Fortimanager or Fortiauthenticator have more user advanced rights ?
FortiAuthenticator can only operate within FortiGate's own parameters: It can only specify which admins are to be assigned which existing admin profiles.
No comments on FortiManager, not my area of expertise.
In theory you could have your own DIY front-end (that would have the super_admin profile itself), and add your own authentication/permission filtering there to permit processing and forwarding only the relevant changes (admin pwd, SSH key) in the FortiOS config.
I suppose FortiPAM could be of interest? https://docs.fortinet.com/product/fortipam/1.4
Though I cannot provide any further info here either, as I have not used it myself yet.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.