Fortinet black logo

Administration Guide

Configuring administrator accounts and access profiles

Configuring administrator accounts and access profiles

The Administrator submenu configures administrator accounts and access profiles.

This topic includes:

About administrator account permissions and domains

Depending on the account that you use to log in to the FortiMail unit, you may not have complete access to all CLI commands or areas of the web UI.

Access profiles and domain assignments together control which commands and areas an administrator account can access. Permissions result from an interaction of the two.

The domain to which an administrator is assigned is one of:

  • System

The administrator can access areas regardless of whether an item pertains to the FortiMail unit itself or to a protected domain. Every administrator’s permissions are restricted only by their access profile.

  • a protected domain

The administrator can only access areas that are specifically assigned to that protected domain. With a few exceptions, the administrator cannot access system-wide settings, files or statistics, nor most settings that can affect other protected domains, regardless of whether access to those items would otherwise be allowed by the administrator’s access profile. The administrator cannot access the CLI, nor the basic mode of the web UI (For more information on the display modes of the GUI, see Basic mode versus advanced mode).

Note

There are exceptions. Domain administrators can configure IP-based policies, the global block list, the global safe list, the blocklist action, and the global Bayesian database. If you do not want to allow this, do not provide Read-Write permission to those categories in domain administrators’ access profiles.

Areas of the GUI that domain administrators cannot access

Monitor except for the Personal Quarantine and Log tab

System except for the Administrator tab
Domain & User except for the domain, its subdomains, associated domains, user preference, user alias, and address map

Policy except Recipient Policy > Inbound and Outbound

Profile except for AntiSpam, AntiVirus, Content, Resource, Authentication, Dictionary, Group, and Notification

Security except for Security > Block/Safe List (Domain and Personal) and Bayesian

Encryption

Data Loss Prevention

Email Archiving

Log & Report

Access profiles assign either read, read/write, or no access to each area of the FortiMail software. To view configurations, you must have read access. To make changes, you must have write access. For more information on configuring an administrator access profile, see Configuring admin profiles.

There are three possible permission types for an administrator account:

  • Administrator (also known as all)
  • Read & Write
  • Read Only
Administrator account permissions by domain assignment

Permission

Domain: system

Domain: example.com

Administrator

Administrators with system scope can do the following, within limits set by their access profiles:

Can create, view and change all other administrator accounts except the admin administrator account.

An administrator can change another administrator’s password using the current password. Only the admin can change a password if the current password is unknown.

Can view and change all parts of the FortiMail unit’s configuration, including uploading configuration backup files and restoring firmware default settings.

Can release and delete quarantined email messages for all protected domains.

Can back up and restore databases.

Can manually update firmware and antivirus definitions.

Can restart and shut down the FortiMail unit.

Administrators with domain scope can do the following, within limits set by their access profiles:

Can create, view and change other administrator accounts with Read & Write and Read Only permissions in its own protected domain.

Can only view and change settings, including profiles and policies, in its own protected domain and elsewhere as permitted.

Can only view profiles and policies created by an administrator whose Domain is system.

Can be only one per protected domain.

Read & Write

Can only view and change its own administrator account.

Can view and change parts of the FortiMail unit’s configuration at the system and protected domain levels.

Can release and delete quarantined email messages for all protected domains.

Can back up and restore databases.

Can only view and change its own administrator account.

Can only view and change parts of the FortiMail unit’s configuration in its own protected domain.

Can only view profiles and policies created by an administrator whose Domain is system.

Can release and delete quarantined email messages in its own protected domain.

Read Only

Can only view and change its own administrator account.

Can view the FortiMail unit configuration at the system and protected domain levels

Can back up databases.

Can only view and change its own administrator account.

Can only view settings in its own protected domain.

Can only view profiles and policies created by an administrator whose Domain is system.

About the “admin” account

Unlike other administrator accounts whose access profile is super_admin_prof and domain is System, the admin administrator account exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. Its name, permissions, and assignment to the System domain cannot be changed.

The admin administrator account always has full permission to view and change all FortiMail configuration options, including viewing and changing all other administrator accounts. It is the only administrator account that can reset another administrator’s password without having to enter the existing password. As such, it is the only account that can reset another administrator’s password if the existing password is unknown or forgotten (Other administrators can change an administrator’s password if they know the current password).

About the “remote_wildcard” account

In previous FortiMail releases (older than v5.1), when you add remote RADIUS or LDAP accounts to FortiMail for account authentication purpose, you must add them one by one on FortiMail. Starting from FortiMail v5.1, you can use the wildcard to add RADIUS accounts all at once. Starting from v5.2, you can also use the wildcard for LDAP accounts.

To achieve this, you can enable the preconfigured “remote_wildcard” account and specify which RADIUS or LDAP profile to use. Then every account on the RADIUS or LDAP server will be able to log on to FortiMail.

To add all accounts on a RADIUS or LDAP server to FortiMail
  1. Go to System > Administrator > Administrator.
  2. Double click the built-in “remote_wildcard” account.
  3. Configure the following and click OK.

GUI item

Description

Enable

Select it to enable the wildcard account.

Administrator

The default name is remote_wildcard and it is not editable.

Domain

Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned.

For more information on protected domain assignments, see About administrator account permissions and domains.

Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI.

Note: If you enable domain override in the RADIUS profile, this setting will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain. For details, see Configuring authentication profiles.

Access profile

Select the name of an access profile that determines which functional areas the administrator account may view or affect.

Click New to create a new profile or Edit to modify the selected profile. For details, see Configuring admin profiles.

Note: If you enable remote access override in the RADIUS profile, this access profile will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile. For details, see Configuring authentication profiles.

Authentication type

Select RADIUS or LDAP. And then select the RADIUS or LDAP profile.

For details, see Configuring authentication profiles.

Trusted hosts

Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts.

If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0.

Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0.

Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network.

Note: For information on restricting administrative access protocols that can be used by these hosts, see Editing network interfaces.

Language

Select this administrator account’s preference for the display language of the web UI.

This setting overwrites the default language configured under System > Customization > Appearance. See Customizing the GUI appearance.

Theme

Select this administrator account’s preference for the display theme.

This setting overwrites the default theme configured under System > Customization > Appearance. See Customizing the GUI appearance.

Configuring administrator accounts

The Administrator tab displays a list of the FortiMail unit’s administrator accounts and the trusted host IP addresses administrators use to log in (if configured).

By default, FortiMail units have a single administrator account, admin. For more granular control over administrative access, you can create additional administrator accounts that are restricted to a specific protected domain and with restricted permissions. For more information, see About administrator account permissions and domains.

Depending on the type of administrators logging on to FortiMail, this list may not display all administrator accounts.

  • For the super admin user, all administrators will be displayed.
  • For administrators with super_admin_prof access profile, all administrators except for the super admin will be displayed.
  • For all other administrators, only the administrators who are not using the super_admin_prof access profile will be displayed.
Note

If you configured a system quarantine administrator account, this account does not appear in the list of standard FortiMail administrator accounts. For more information on the system quarantine administrator account, see Configuring the system quarantine setting.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Others category.

For details, see About administrator account permissions and domains.

To configure administrator accounts
  1. Go to System > Administrator > Administrator.
  2. Either click New to add an account or double-click an account to modify it.
  3. A dialog appears.

  4. Configure the following and then click Create:

GUI item

Description

Enable

Select it to enable the new account. If disabled, the account will not be able to access FortiMail.

Administrator

Enter the name for this administrator account.

The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), hyphens ( - ), and underscores ( _ ). Other special characters and spaces are not allowed.

Domain

Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned.

For more information on protected domain assignments, see About administrator account permissions and domains.

Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI.

Admin profile

Select the name of an admin profile that determines which functional areas the administrator account may view or affect.

Click New to create a new profile or Edit to modify the selected profile. For details, see Configuring admin profiles.

Access mode

Specify the access priviledge: CLI, GUI, or REST API.

Authentication type

Select the local or remote type of authentication that the administrator will use:

  • Local
  • RADIUS
  • PKI
  • LDAP

Note: RADIUS, LDAP and PKI authentication require that you first configure a RADIUS authentication profile, LDAP authentication profile, or PKI user. For more information, see Configuring authentication profiles and Configuring PKI authentication.

Password

If you select Local as the authentication type, enter a secure password for this administrator account.

The password can contain any character except spaces.

If you are changing your own password, the new password cannot be the same as the old one. And after you change the password, your will be required to re-login. However, if you are changing other administrators’ passwords, these rules do not apply.

This field is only available when authentication type is set to Local.

Confirm password

Enter this account’s password again to confirm it.

This field is only available when authentication type is set to Local.

LDAP profile

If you choose to use LDAP authentication, select an LDAP profile you want to use.

RADIUS profile

If you choose to use RADIUS or RADIUS + Local authentication, select a RADIUS profile you want to use.

PKI profile

If you choose to use PKI authentication, select a PKI profile you want to use.

Trusted hosts

Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts.

If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0.

Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0.

Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network.

Note: For information on restricting administrative access protocols that can be used by these hosts, see Editing network interfaces.

Language

Select this administrator account’s preference for the display language of the web UI.

This setting overwrites the default language configured under System > Customization > Appearance. See Customizing the GUI appearance.

Theme

Select this administrator account’s preference for the display theme.

This setting overwrites the default theme configured under System > Customization > Appearance. See Customizing the GUI appearance.

Configuring admin profiles

The Admin Profile tab displays a list of access profiles.

Admin profiles, in conjunction with the domain to which an administrator account is assigned, govern which areas of the web UI and CLI that an administrator can access, and whether or not they have the permissions necessary to change the configuration or otherwise modify items in each area.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see About administrator account permissions and domains.

To view and configure administrator accounts
  1. Go to System > Administrator > Admin Profile.
  2. GUI item

    Description

    Name

    Displays the name of the administrator access profile.

    (Green dot in column heading)

    Indicates whether or not the profile is being used in one or more administrator accounts. If so, a red dot appears in this column, and the profile cannot be deleted.

    Note: The access profile named super_admin_prof is always used by the admin administrator account, and cannot be deleted.

  3. Either click New to add an account or double-click an access profile to modify it.
  4. A dialog appears.

  5. In Profile Name, enter the name for this access profile.
  6. In the Access Control table, for each access control option, select the permissions to be granted to administrator accounts associated with this access profile. For details, see About administrator account permissions and domains.
  7. For System Quarantine, you can assign either all folders or some folders to the administrator. By default, all folders are assigned. To change the setting, click on All folders. In the popup box, disable All folders, and then move the folders from the Available list to the Members list.

    Note

    Starting from 6.0.4 release, administrators with Read Only privileges to System Quarantine, Personal Quarantine, Archive, and Mail Queque categories cannot view emal contents anymore. Only administrators with Read-Write privileges can view email contents.

Configuring administrator accounts and access profiles

The Administrator submenu configures administrator accounts and access profiles.

This topic includes:

About administrator account permissions and domains

Depending on the account that you use to log in to the FortiMail unit, you may not have complete access to all CLI commands or areas of the web UI.

Access profiles and domain assignments together control which commands and areas an administrator account can access. Permissions result from an interaction of the two.

The domain to which an administrator is assigned is one of:

  • System

The administrator can access areas regardless of whether an item pertains to the FortiMail unit itself or to a protected domain. Every administrator’s permissions are restricted only by their access profile.

  • a protected domain

The administrator can only access areas that are specifically assigned to that protected domain. With a few exceptions, the administrator cannot access system-wide settings, files or statistics, nor most settings that can affect other protected domains, regardless of whether access to those items would otherwise be allowed by the administrator’s access profile. The administrator cannot access the CLI, nor the basic mode of the web UI (For more information on the display modes of the GUI, see Basic mode versus advanced mode).

Note

There are exceptions. Domain administrators can configure IP-based policies, the global block list, the global safe list, the blocklist action, and the global Bayesian database. If you do not want to allow this, do not provide Read-Write permission to those categories in domain administrators’ access profiles.

Areas of the GUI that domain administrators cannot access

Monitor except for the Personal Quarantine and Log tab

System except for the Administrator tab
Domain & User except for the domain, its subdomains, associated domains, user preference, user alias, and address map

Policy except Recipient Policy > Inbound and Outbound

Profile except for AntiSpam, AntiVirus, Content, Resource, Authentication, Dictionary, Group, and Notification

Security except for Security > Block/Safe List (Domain and Personal) and Bayesian

Encryption

Data Loss Prevention

Email Archiving

Log & Report

Access profiles assign either read, read/write, or no access to each area of the FortiMail software. To view configurations, you must have read access. To make changes, you must have write access. For more information on configuring an administrator access profile, see Configuring admin profiles.

There are three possible permission types for an administrator account:

  • Administrator (also known as all)
  • Read & Write
  • Read Only
Administrator account permissions by domain assignment

Permission

Domain: system

Domain: example.com

Administrator

Administrators with system scope can do the following, within limits set by their access profiles:

Can create, view and change all other administrator accounts except the admin administrator account.

An administrator can change another administrator’s password using the current password. Only the admin can change a password if the current password is unknown.

Can view and change all parts of the FortiMail unit’s configuration, including uploading configuration backup files and restoring firmware default settings.

Can release and delete quarantined email messages for all protected domains.

Can back up and restore databases.

Can manually update firmware and antivirus definitions.

Can restart and shut down the FortiMail unit.

Administrators with domain scope can do the following, within limits set by their access profiles:

Can create, view and change other administrator accounts with Read & Write and Read Only permissions in its own protected domain.

Can only view and change settings, including profiles and policies, in its own protected domain and elsewhere as permitted.

Can only view profiles and policies created by an administrator whose Domain is system.

Can be only one per protected domain.

Read & Write

Can only view and change its own administrator account.

Can view and change parts of the FortiMail unit’s configuration at the system and protected domain levels.

Can release and delete quarantined email messages for all protected domains.

Can back up and restore databases.

Can only view and change its own administrator account.

Can only view and change parts of the FortiMail unit’s configuration in its own protected domain.

Can only view profiles and policies created by an administrator whose Domain is system.

Can release and delete quarantined email messages in its own protected domain.

Read Only

Can only view and change its own administrator account.

Can view the FortiMail unit configuration at the system and protected domain levels

Can back up databases.

Can only view and change its own administrator account.

Can only view settings in its own protected domain.

Can only view profiles and policies created by an administrator whose Domain is system.

About the “admin” account

Unlike other administrator accounts whose access profile is super_admin_prof and domain is System, the admin administrator account exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. Its name, permissions, and assignment to the System domain cannot be changed.

The admin administrator account always has full permission to view and change all FortiMail configuration options, including viewing and changing all other administrator accounts. It is the only administrator account that can reset another administrator’s password without having to enter the existing password. As such, it is the only account that can reset another administrator’s password if the existing password is unknown or forgotten (Other administrators can change an administrator’s password if they know the current password).

About the “remote_wildcard” account

In previous FortiMail releases (older than v5.1), when you add remote RADIUS or LDAP accounts to FortiMail for account authentication purpose, you must add them one by one on FortiMail. Starting from FortiMail v5.1, you can use the wildcard to add RADIUS accounts all at once. Starting from v5.2, you can also use the wildcard for LDAP accounts.

To achieve this, you can enable the preconfigured “remote_wildcard” account and specify which RADIUS or LDAP profile to use. Then every account on the RADIUS or LDAP server will be able to log on to FortiMail.

To add all accounts on a RADIUS or LDAP server to FortiMail
  1. Go to System > Administrator > Administrator.
  2. Double click the built-in “remote_wildcard” account.
  3. Configure the following and click OK.

GUI item

Description

Enable

Select it to enable the wildcard account.

Administrator

The default name is remote_wildcard and it is not editable.

Domain

Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned.

For more information on protected domain assignments, see About administrator account permissions and domains.

Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI.

Note: If you enable domain override in the RADIUS profile, this setting will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain. For details, see Configuring authentication profiles.

Access profile

Select the name of an access profile that determines which functional areas the administrator account may view or affect.

Click New to create a new profile or Edit to modify the selected profile. For details, see Configuring admin profiles.

Note: If you enable remote access override in the RADIUS profile, this access profile will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile. For details, see Configuring authentication profiles.

Authentication type

Select RADIUS or LDAP. And then select the RADIUS or LDAP profile.

For details, see Configuring authentication profiles.

Trusted hosts

Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts.

If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0.

Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0.

Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network.

Note: For information on restricting administrative access protocols that can be used by these hosts, see Editing network interfaces.

Language

Select this administrator account’s preference for the display language of the web UI.

This setting overwrites the default language configured under System > Customization > Appearance. See Customizing the GUI appearance.

Theme

Select this administrator account’s preference for the display theme.

This setting overwrites the default theme configured under System > Customization > Appearance. See Customizing the GUI appearance.

Configuring administrator accounts

The Administrator tab displays a list of the FortiMail unit’s administrator accounts and the trusted host IP addresses administrators use to log in (if configured).

By default, FortiMail units have a single administrator account, admin. For more granular control over administrative access, you can create additional administrator accounts that are restricted to a specific protected domain and with restricted permissions. For more information, see About administrator account permissions and domains.

Depending on the type of administrators logging on to FortiMail, this list may not display all administrator accounts.

  • For the super admin user, all administrators will be displayed.
  • For administrators with super_admin_prof access profile, all administrators except for the super admin will be displayed.
  • For all other administrators, only the administrators who are not using the super_admin_prof access profile will be displayed.
Note

If you configured a system quarantine administrator account, this account does not appear in the list of standard FortiMail administrator accounts. For more information on the system quarantine administrator account, see Configuring the system quarantine setting.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Others category.

For details, see About administrator account permissions and domains.

To configure administrator accounts
  1. Go to System > Administrator > Administrator.
  2. Either click New to add an account or double-click an account to modify it.
  3. A dialog appears.

  4. Configure the following and then click Create:

GUI item

Description

Enable

Select it to enable the new account. If disabled, the account will not be able to access FortiMail.

Administrator

Enter the name for this administrator account.

The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), hyphens ( - ), and underscores ( _ ). Other special characters and spaces are not allowed.

Domain

Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned.

For more information on protected domain assignments, see About administrator account permissions and domains.

Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI.

Admin profile

Select the name of an admin profile that determines which functional areas the administrator account may view or affect.

Click New to create a new profile or Edit to modify the selected profile. For details, see Configuring admin profiles.

Access mode

Specify the access priviledge: CLI, GUI, or REST API.

Authentication type

Select the local or remote type of authentication that the administrator will use:

  • Local
  • RADIUS
  • PKI
  • LDAP

Note: RADIUS, LDAP and PKI authentication require that you first configure a RADIUS authentication profile, LDAP authentication profile, or PKI user. For more information, see Configuring authentication profiles and Configuring PKI authentication.

Password

If you select Local as the authentication type, enter a secure password for this administrator account.

The password can contain any character except spaces.

If you are changing your own password, the new password cannot be the same as the old one. And after you change the password, your will be required to re-login. However, if you are changing other administrators’ passwords, these rules do not apply.

This field is only available when authentication type is set to Local.

Confirm password

Enter this account’s password again to confirm it.

This field is only available when authentication type is set to Local.

LDAP profile

If you choose to use LDAP authentication, select an LDAP profile you want to use.

RADIUS profile

If you choose to use RADIUS or RADIUS + Local authentication, select a RADIUS profile you want to use.

PKI profile

If you choose to use PKI authentication, select a PKI profile you want to use.

Trusted hosts

Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts.

If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0.

Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0.

Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network.

Note: For information on restricting administrative access protocols that can be used by these hosts, see Editing network interfaces.

Language

Select this administrator account’s preference for the display language of the web UI.

This setting overwrites the default language configured under System > Customization > Appearance. See Customizing the GUI appearance.

Theme

Select this administrator account’s preference for the display theme.

This setting overwrites the default theme configured under System > Customization > Appearance. See Customizing the GUI appearance.

Configuring admin profiles

The Admin Profile tab displays a list of access profiles.

Admin profiles, in conjunction with the domain to which an administrator account is assigned, govern which areas of the web UI and CLI that an administrator can access, and whether or not they have the permissions necessary to change the configuration or otherwise modify items in each area.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see About administrator account permissions and domains.

To view and configure administrator accounts
  1. Go to System > Administrator > Admin Profile.
  2. GUI item

    Description

    Name

    Displays the name of the administrator access profile.

    (Green dot in column heading)

    Indicates whether or not the profile is being used in one or more administrator accounts. If so, a red dot appears in this column, and the profile cannot be deleted.

    Note: The access profile named super_admin_prof is always used by the admin administrator account, and cannot be deleted.

  3. Either click New to add an account or double-click an access profile to modify it.
  4. A dialog appears.

  5. In Profile Name, enter the name for this access profile.
  6. In the Access Control table, for each access control option, select the permissions to be granted to administrator accounts associated with this access profile. For details, see About administrator account permissions and domains.
  7. For System Quarantine, you can assign either all folders or some folders to the administrator. By default, all folders are assigned. To change the setting, click on All folders. In the popup box, disable All folders, and then move the folders from the Available list to the Members list.

    Note

    Starting from 6.0.4 release, administrators with Read Only privileges to System Quarantine, Personal Quarantine, Archive, and Mail Queque categories cannot view emal contents anymore. Only administrators with Read-Write privileges can view email contents.