Resource-based permissions
Permission control is global to the FortiSASE portal and provides the following privileges for each resource:
-
No access
-
Read/write access
-
Read-only access
|
If an Identity & Access Management (IAM) user is assigned a permissions profile with no access configured for all FortiSASE portal resources, then the IAM user cannot log into the FortiSASE portal. |
The FortiSASE portal has the following resource categories:
|
Resource |
Provide control over... |
|---|---|
| User & Authentication | User and authentication related settings. |
| Policy | VPN, SWG, and SPA policies. |
| Logging | Logging and reports features. |
| Monitoring | Monitoring features including FortiView, Digital Experience Monitoring, Managed Endpoints, and other monitor widgets. |
| Dashboards | Dashboard features. |
| Network | Network features including edge devices, SPA, DNS, hosts, services, and feeds. |
| System | System settings. |
| Security | Security profile groups and security features. |
| Endpoint Management |
Managed Endpoints page, endpoint profiles, and zero trust network access (ZTNA) settings. |
| Infrastructure |
FortiSASE provisioning. |
See Permission profiles within Organizations.
Access to specific pages and actions require permissions to multiple resources.
|
|
In the table below, for entries marked with Read-only access involving allow or show actions, this privilege indicates the minimum privilege level required, which means the higher privilege level of Read/Write access can also be used in these cases. On the other hand, for entries marked with Read-only access involving blocking or hiding actions, this privilege is the only privilege needed to achieve the desired actions. |
User & Authentication
|
Action |
User & Authentication |
Monitoring |
Endpoint Management |
System |
|---|---|---|---|---|
| Allow viewing of Connected Users page, and Remote Users and User Connection Monitor widgets | Read-only access | |||
| Onboard users button redirects to Client Onboarding documentation | Read-only access | |||
| Block import and export of users and groups | Read-only access | |||
| Allow viewing of users, PKI users, and groups | Read-only access | |||
| Allow viewing of LDAP and RADIUS servers and users | Read-only access | |||
| Hide VPN user SSO page | Read-only access | |||
| Allow editing of VPN User SSO page | Read/write access | Read/write access | ||
| Make Show in FortiView unavailable in User Connection Monitor | Read/write access | No access | ||
|
Make View Endpoint Details unavailable in Managed Endpoints widget/page |
Read/write access |
|
No access |
|
|
Hide SWG user SSO page |
Read/write access |
|
|
No access |
Policy
|
Action |
Policy |
User & Authentication |
Network |
Logging |
Monitoring |
Security |
Endpoint Management |
|---|---|---|---|---|---|---|---|
| Allow users and groups to be viewed from policies | Read/write access | Read-only access | |||||
| Allow users and groups to be created inline from policies | Read/write access | Read/write access | |||||
| Allow creating hosts, feeds, and services inline within policies | Read/write access | Read/write access | |||||
| Hide private access policies | Read/write access | No access | |||||
| Allow creating ZTNA tags in-line within policies | Read/Write access | Read/Write access | |||||
| Allow Show Matching Traffic Logs when a policy is right-clicked | Read/Write access | Read-only access | |||||
| Allow Show in FortiView when a policy is right-clicked | Read/Write access | Read-only access | |||||
| Allow creating security profile groups inline within policies | Read/Write access | Read-only access |
Logging
|
Action |
Logging |
Network |
|---|---|---|
| Allow downloading of generated reports | Read-only access | |
| Allow scheduled reports to be viewed | Read-only access | |
| Allow Analytics > Settings page to be viewed | Read-only access | |
| Hide private access tab from Traffic logs | Read/Write access | No access |
Monitoring
|
Action |
Monitoring |
User & Authentication |
Dashboards |
Network |
Endpoint Management |
|---|---|---|---|---|---|
| Hide FortiView monitors, Digital Experience Monitoring (DEM), Managed Endpoints, User Connection Monitor, Application Bandwidth, and Bandwidth Monitor widgets | No access | ||||
| Show Asset Map, DEM, Managed Endpoints, and Connected Users pages | Read-only access | ||||
| Hide Subscribe button from Health widget | Read-only access | ||||
| Allow downloading FortiClient logs from Endpoint details slide-in | Read/Write access | Read-only access | |||
| Allow requesting FortiClient logs from Endpoint details slide-in | Read/Write access | Read/Write access | |||
| Allow DEM endpoint features from Endpoint details slide-in | Read/Write access | Read/Write access | |||
| Block ability to modify Management Connection status of endpoints | Read/Write access | No access | |||
| Allow add, edit, delete of FortiView monitors in Dashboards | Read/Write access | Read/Write access | |||
|
Hide SPA hubs and edge devices from Asset Map |
Read/Write access |
|
|
No access |
|
|
Hide Connected Users link from Asset Map |
Read/Write access |
No access |
|
|
|
|
Hide Deauthenticate button from Connected Users page and User Connection Monitor widget |
Read/Write access |
Read-only access |
|
|
|
Dashboards
|
Action |
Dashboards |
User & Authentication |
Monitoring |
Network |
Security |
Endpoint Management |
|---|---|---|---|---|---|---|
| Block ability to create, edit, delete, and resize widgets | Read-only access | |||||
| Block ability to add FortiView and monitor widgets | Read/Write access | No access | ||||
| Block ability to add widgets related to private access and edge devices | Read/Write access | No access | ||||
| Block ability to add Managed Endpoints and Vulnerability Summary widgets | Read/Write access | No access | ||||
| Block ability to add User Connection Monitor and Remote Users widgets | Read/Write access | No access | ||||
| Block ability to add Internet Access Security Status widget | Read/write access | No access |
Network
|
Action |
Network |
|---|---|
| Show Edge Devices (FortiAPs, FortiExtenders, FortiGates), Secure Private Access, DNS, Hosts, Services and Feeds pages | Read-only access |
| Hide Update authentication method, Service Connection Priorities, Edit and Delete buttons from Network > Secure Private Access | Read-only access |
| Hide Create, Edit, and Delete buttons for Hosts, Services, Feeds, and DNS pages | Read-only access |
| Disable Authorize, Deauthorize, and Disconnect actions for Edge Devices | Read-only access |
| Hide notifications for newly discovered edge devices | Read-only access |
System
|
Action |
Network |
|---|---|
| Block import, download, and delete actions for certificates | Read-only access |
| Block save and edit of HTML templates | Read-only access |
| Block create, edit, and delete of images in HTML templates > Images tab | Read-only access |
| Hide System section | No access |
Security
|
Action |
Security |
Logging |
Monitoring |
Network |
|---|---|---|---|---|
| Block ability to create, edit, or delete security profile groups | Read-only access | |||
| Block ability to enable or disable security features | Read-only access | |||
| Block ability to create, edit, or delete profile resources | Read-only access | |||
| Hide View Logs buttons from all security features | Read/Write access | No access | ||
| Hide View All buttons from all security features | Read/Write access | No access | ||
| Display threat data in the security features cards | Read/Write access | Read-only access | Read-only access | |
| Hide the Private Access tab in the Configuration > Security > Profiles page | Read/Write access | No access | ||
| Show the Private Access tab and allow renaming, deleting, and customizing of private access security profile groups | Read/Write access | Read-only access |
Endpoint Management
|
Action |
Endpoint Management |
Monitoring |
|---|---|---|
| Allow downloading FortiClient logs from Endpoint details slide-in | Read-only access | Read/Write access |
| Allow requesting FortiClient logs from Endpoint details slide-in | Read/Write access | Read/Write access |
| Allow DEM endpoint features from Endpoint details slide-in | Read/Write access | Read/Write access |
| Block ability to modify Management Connection status of endpoints | Read-only access | |
| Hide More Options > Show in FortiView in Managed Endpoints page | Read/Write access | No access |
Infrastructure
|
Action |
Infrastructure |
|---|---|
| Block provisioning of FortiSASE instance | Read-only access or No access |