Permissions
Depending on the account that you use to log in to the FortiMail unit, you may not have complete access to all CLI commands or areas of the web UI.
Access profiles and domain assignments together control which commands and areas an administrator account can access. Permissions result from an interaction of the two.
The domain to which an administrator is assigned can be either:
- System: Can access areas regardless of whether an item pertains to the FortiMail unit itself or to a protected domain. The administrator’s permissions are restricted only by his or her access profile.
- A protected domain: Can only access areas that are specifically assigned to that protected domain. The administrator cannot access system-wide settings, files or statistics, nor most settings that can affect other protected domains, regardless of whether access to those items would otherwise be allowed by his or her access profile. The administrator cannot access the CLI, nor the basic mode of the web UI (For more information on the display modes of the GUI, see the FortiMail Administration Guide).
|
IP-based policies, the global blocklist, and the global safelist, the blocklist action, and the global Bayesian database are exceptions to this rule. Domain administrators can configure them, regardless of the fact that they could affect other domains. If you do not want to allow this, do not provide Read-Write permission to those categories in domain administrators’ access profiles. |
Areas of the GUI (advanced mode) that cannot be accessed by domain administrators:
- System > Maintenance
- Monitor except for the Personal quarantine tab
- System except for the Administrator tab
- System > Mail Settings except for the domain, its subdomains, and associated domains
- Domain & User > User > PKI User
- Policy > Access Control > Receiving
- Policy > Access Control > Delivery
- Profile > Authentication
- Profile > AntiSpam
- Email Archiving
- Log & Report
Access profiles assign either read, write, or no access to each area of the FortiMail software. To view configurations, you must have read access. To make changes, you must have write access. For more information on configuring an access profile that administrator accounts can use, see sensitive data.
There are three possible permission types for an administrator account:
Administrator account permissions by domain assignment:
|
Permission |
Domain: system |
Domain: example.com |
|---|---|---|
|
|
|
|
|
|
|
|
Areas of control in access profiles:
|
Access control area name |
Grants access to... For each
|
|
|---|---|---|
|
In the web UI |
In the CLI |
|
|
Policy |
policy |
Monitor > Mail Queue ... Monitor > Greylist ... Monitor > Reputation > Sender Reputation Domain & User > Domain > Domain System > Mail Setting > Proxies Domain & User > User ... Policy ... Profile ... AntiSpam > Greylist ... AntiSpam > Bounce Verification > Settings AntiSpam > Endpoint Reputation ... AntiSpam > Bayesian ... |
|
config antispam greylist exempt config antispam bounce-verification key config antispam settings config antispam trusted ... config domain config mailsetting proxy-smtp config policy ... config profile ... config user ... diagnose ... execute ... config mailsetting relayserver |
||
|
Block/Safelist |
block-safe-list |
Monitor > Endpoint Reputation > Auto blocklist Maintenance > AntiSpam > Block/Safelist Maintenance AntiSpam > Block/Safelist ... |
|
N/A diagnose ... execute ... get system status get system raid-performance get system performance |
||
|
Quarantine |
quarantine |
Monitor > Quarantine ... AntiSpam > Quarantine > Quarantine Report AntiSpam > Quarantine > System Quarantine Setting AntiSpam > Quarantine > Control Account |
|
diagnose ... execute ... config antispam quarantine-report config mailsetting systemquarantine |
||
|
Others |
others |
Monitor > System Status ... Monitor > Archive > Email Archives Monitor > Log ... Monitor > Report ... Maintenance ... except the Block/Safelist Maintenance tab System ... Mail Settings > Settings ... Mail Settings > Address Book > Address Book User > User Alias > User Alias User > Address Map > Address Map Email Archiving ... Log and Report ... |
|
config archive ... config log ... config mailsetting relayserver config mailsetting storage config report config system ... config user alias config user map diagnose ... execute ... get system status |
||
Unlike other administrator accounts whose Access profile is super_admin_prof and Domain is System, the admin administrator account exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. This administrator account always has full permission to view and change all FortiMail configuration options, including viewing and changing all other administrator accounts. It is the only administrator account that can reset another administrator’s password without being required to enter the existing password. As such, it is the only account that can reset another administrator’s password if that administrator forgets his or her password. Its name, permissions, and assignment to the System domain cannot be changed.
|
|
Set a strong password for the |
For complete access to all commands, you must log in with the administrator account named admin. For access to the CLI, you must log in with a System-level administrator account.