Fortinet white logo
Fortinet white logo

Administration Guide

Creating administrators

Creating administrators

To create a new administrator account, you must be logged in as a super user administrator.

You need the following information to create an account:

  • Which authentication method the administrator will use to log in to the FortiAnalyzer unit. Local, remote, and Public Key Infrastructure (PKI) authentication methods are supported.
  • What administrator profile the account will be assigned, or what system privileges the account requires.
  • If ADOMs are enabled, which ADOMs the administrator will require access to.
  • If using trusted hosts, the trusted host addresses and network masks.

For remote or PKI authentication, the authentication must be configured before you create the administrator. See Authentication for details.

To create a new administrator:
  1. Go to System Settings > Administrators.
  2. In the toolbar, click Create New > Administrator to display the Create New Administrator pane.

  3. Configure the following settings, and then click OK to create the new administrator.

    User Name

    Enter the name of the administrator will use to log in.

    Avatar

    Apply a custom image to the administrator.

    Click Add Photo to select an image already loaded to the FortiAnalyzer, or to load an new image from the management computer.

    If no image is selected, the avatar will use the first letter of the user name.

    Comments

    Optionally, enter a description of the administrator, such as their role, location, or the reason for their account.

    Admin Type

    Select the type of authentication the administrator will use when logging into the FortiAnalyzer unit. One of: LOCAL, RADIUS, LDAP, TACACS+, PKI, Group, or SSO. See Authentication for more information.

    Server or Group

    Select the RADIUS server, LDAP server, TACACS+ server, or group, as required.

    The server must be configured prior to creating the new administrator.

    This option is not available if the Admin Type is LOCAL or PKI.

    Match all users on remote server

    Select this option to automatically add all users from a LDAP server specified in Admin>Remote Authentication Server. All users specified in the Distinguished Name field in the LDAP server will be added as FortiManager users with the selected Admin Profile.

    Select this option when the Admin Type is SSO to create one SAML SSO wildcard admin user to match all users on the identity provider (IdP) server. This FortiAnalyzer must be configured as a service provider (SP), added to the IdP, and have the same user profile and ADOM names as the IdP. If this is done, the user is assigned the same profile and ADOMs when logging in as an SSO user on this SP. See SAML admin authentication.

    If this option is not selected, the User Name specified must exactly match the LDAP user specified on the LDAP server.

    This option is not available if the Admin Type is LOCAL or PKI.

    Subject

    Enter a comment for the PKI administrator.

    This option is only available if the Admin Type is PKI.

    CA

    Select the CA certificate from the dropdown list.

    This option is only available if the Admin Type is PKI.

    Required two-factor authentication

    Select to enable two-factor authentication.

    This option is only available if the Admin Type is PKI.

    New Password

    Enter the password.

    This option is not available if Match all users on remote server is selected.

    If the Admin Type is PKI, this option is only available when Require two-factor authentication is selected.

    If the Admin Type is RADIUS, LDAP, or TACACS+, the password is only used when the remote server is unreachable.

    Confirm Password

    Enter the password again to confirm it.

    This option is not available if Match all users on remote server is selected.

    If the Admin Type is PKI, this option is only available when Require two-factor authentication is selected.

    Force this administrator to change password upon next log on.

    Force the administrator to change their password the next time that they log in to the FortiAnalyzer.

    This option is only available if Password Policy is enabled in Admin Settings. See Password policy.

    FortiToken Cloud

    Enable or disable two-factor authentication with FortiToken Cloud, then select the token delivery method from the following options:

    • FortiToken Mobile: Use the FortiToken Mobile app to get tokens. The administrator is sent an email with a link to activate their token in the FortiToken Mobile app on their mobile device.

    • Email: Receive the token by email.

    • SMS: Receive the token by SMS message.

    This option is not available if Admin Type is set to PKI or SSO. See Two-factor authentication.

    Administrative Domain

    Choose the ADOMs this administrator will be able to access.

    • All ADOMs: The administrator can access all the ADOMs.
    • All ADOMs except specified ones: The administrator cannot access the selected ADOMs.
    • Specify: The administrator can access the selected ADOMs. Specifying the ADOM shows the Specify Device Group to Access check box. Select the Specify Device Group to Access check box and select the Device Group this administrator is allowed to access. The newly created administrator will only be able to access the devices within the Device Group and sub-groups.

    If the Admin Profile is Super_User, then this setting is All ADOMs.

    This field is available only if ADOMs are enabled. See Administrative Domains (ADOMs).

    Admin Profile

    Select an administrator profile from the list. The profile selected determines the administrator’s access to the FortiAnalyzer unit’s features. See Administrator profiles.

    JSON API Access

    Select the permission for JSON API Access. Select Read-Write, Read, or None. The default is None.

    Trusted Hosts

    Optionally, turn on trusted hosts, then enter their IP addresses and netmasks. Up to ten IPv4 and ten IPv6 hosts can be added.

    See Trusted hosts for more information.

    Theme Mode

    Select Use Global Theme to apply a theme to all administrator accounts.

    Select Use Own Theme to allow administrators to select their own theme.

    Meta Fields

    Optionally, enter the new administrator's email address and phone number.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced options, see the FortiAnalyzer CLI Reference.

    Advanced options

    Option

    Description

    Default

    change-passwordEnable or Disable changing password.

    disable

    ext-auth-accprofile-overrideEnable or Disable overriding the account profile by administrators configured on a Remote Authentication Server.

    disable

    ext-auth-adom-overrideEnable or Disable overriding the ADOM by administrators configured on a Remote Authentication Server. This will also override the Admin Profile configured for each ADOM.

    disable

    ext-auth-group-matchSpecify the group configured on a Remote Authentication Server.

    -

    fingerprint

    Specify the user certificate fingerprint based on MD5, SHA-1, or SHA-256 hash function.

    This option is only available if the Admin Type is PKI.

    -

    first-nameSpecify the first name.

    -

    last-nameSpecify the last name.

    -

    mobile-numberSpecify the mobile number.

    -

    pager-numberSpecify the pager number.

    -

    restrict-accessEnable or Disable restricted access.

    disable

Creating administrators

Creating administrators

To create a new administrator account, you must be logged in as a super user administrator.

You need the following information to create an account:

  • Which authentication method the administrator will use to log in to the FortiAnalyzer unit. Local, remote, and Public Key Infrastructure (PKI) authentication methods are supported.
  • What administrator profile the account will be assigned, or what system privileges the account requires.
  • If ADOMs are enabled, which ADOMs the administrator will require access to.
  • If using trusted hosts, the trusted host addresses and network masks.

For remote or PKI authentication, the authentication must be configured before you create the administrator. See Authentication for details.

To create a new administrator:
  1. Go to System Settings > Administrators.
  2. In the toolbar, click Create New > Administrator to display the Create New Administrator pane.

  3. Configure the following settings, and then click OK to create the new administrator.

    User Name

    Enter the name of the administrator will use to log in.

    Avatar

    Apply a custom image to the administrator.

    Click Add Photo to select an image already loaded to the FortiAnalyzer, or to load an new image from the management computer.

    If no image is selected, the avatar will use the first letter of the user name.

    Comments

    Optionally, enter a description of the administrator, such as their role, location, or the reason for their account.

    Admin Type

    Select the type of authentication the administrator will use when logging into the FortiAnalyzer unit. One of: LOCAL, RADIUS, LDAP, TACACS+, PKI, Group, or SSO. See Authentication for more information.

    Server or Group

    Select the RADIUS server, LDAP server, TACACS+ server, or group, as required.

    The server must be configured prior to creating the new administrator.

    This option is not available if the Admin Type is LOCAL or PKI.

    Match all users on remote server

    Select this option to automatically add all users from a LDAP server specified in Admin>Remote Authentication Server. All users specified in the Distinguished Name field in the LDAP server will be added as FortiManager users with the selected Admin Profile.

    Select this option when the Admin Type is SSO to create one SAML SSO wildcard admin user to match all users on the identity provider (IdP) server. This FortiAnalyzer must be configured as a service provider (SP), added to the IdP, and have the same user profile and ADOM names as the IdP. If this is done, the user is assigned the same profile and ADOMs when logging in as an SSO user on this SP. See SAML admin authentication.

    If this option is not selected, the User Name specified must exactly match the LDAP user specified on the LDAP server.

    This option is not available if the Admin Type is LOCAL or PKI.

    Subject

    Enter a comment for the PKI administrator.

    This option is only available if the Admin Type is PKI.

    CA

    Select the CA certificate from the dropdown list.

    This option is only available if the Admin Type is PKI.

    Required two-factor authentication

    Select to enable two-factor authentication.

    This option is only available if the Admin Type is PKI.

    New Password

    Enter the password.

    This option is not available if Match all users on remote server is selected.

    If the Admin Type is PKI, this option is only available when Require two-factor authentication is selected.

    If the Admin Type is RADIUS, LDAP, or TACACS+, the password is only used when the remote server is unreachable.

    Confirm Password

    Enter the password again to confirm it.

    This option is not available if Match all users on remote server is selected.

    If the Admin Type is PKI, this option is only available when Require two-factor authentication is selected.

    Force this administrator to change password upon next log on.

    Force the administrator to change their password the next time that they log in to the FortiAnalyzer.

    This option is only available if Password Policy is enabled in Admin Settings. See Password policy.

    FortiToken Cloud

    Enable or disable two-factor authentication with FortiToken Cloud, then select the token delivery method from the following options:

    • FortiToken Mobile: Use the FortiToken Mobile app to get tokens. The administrator is sent an email with a link to activate their token in the FortiToken Mobile app on their mobile device.

    • Email: Receive the token by email.

    • SMS: Receive the token by SMS message.

    This option is not available if Admin Type is set to PKI or SSO. See Two-factor authentication.

    Administrative Domain

    Choose the ADOMs this administrator will be able to access.

    • All ADOMs: The administrator can access all the ADOMs.
    • All ADOMs except specified ones: The administrator cannot access the selected ADOMs.
    • Specify: The administrator can access the selected ADOMs. Specifying the ADOM shows the Specify Device Group to Access check box. Select the Specify Device Group to Access check box and select the Device Group this administrator is allowed to access. The newly created administrator will only be able to access the devices within the Device Group and sub-groups.

    If the Admin Profile is Super_User, then this setting is All ADOMs.

    This field is available only if ADOMs are enabled. See Administrative Domains (ADOMs).

    Admin Profile

    Select an administrator profile from the list. The profile selected determines the administrator’s access to the FortiAnalyzer unit’s features. See Administrator profiles.

    JSON API Access

    Select the permission for JSON API Access. Select Read-Write, Read, or None. The default is None.

    Trusted Hosts

    Optionally, turn on trusted hosts, then enter their IP addresses and netmasks. Up to ten IPv4 and ten IPv6 hosts can be added.

    See Trusted hosts for more information.

    Theme Mode

    Select Use Global Theme to apply a theme to all administrator accounts.

    Select Use Own Theme to allow administrators to select their own theme.

    Meta Fields

    Optionally, enter the new administrator's email address and phone number.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced options, see the FortiAnalyzer CLI Reference.

    Advanced options

    Option

    Description

    Default

    change-passwordEnable or Disable changing password.

    disable

    ext-auth-accprofile-overrideEnable or Disable overriding the account profile by administrators configured on a Remote Authentication Server.

    disable

    ext-auth-adom-overrideEnable or Disable overriding the ADOM by administrators configured on a Remote Authentication Server. This will also override the Admin Profile configured for each ADOM.

    disable

    ext-auth-group-matchSpecify the group configured on a Remote Authentication Server.

    -

    fingerprint

    Specify the user certificate fingerprint based on MD5, SHA-1, or SHA-256 hash function.

    This option is only available if the Admin Type is PKI.

    -

    first-nameSpecify the first name.

    -

    last-nameSpecify the last name.

    -

    mobile-numberSpecify the mobile number.

    -

    pager-numberSpecify the pager number.

    -

    restrict-accessEnable or Disable restricted access.

    disable