Configuring administrator accounts and access profiles

The Administrator submenu configures administrator accounts and access profiles.

About administrator account permissions and domains

Depending on the account that you use to log in to the FortiMail unit, you may not have complete access to all CLI commands or areas of the GUI.

Admin profile and Access level together control which commands and areas an administrator account can access. Permissions result from an interaction of both.

The Access level is the scope to which an administrator is assigned, either:

• System

  The administrator can access areas regardless of whether it is the FortiMail unit itself (system-wide) or a protected domain. Every administrator’s permissions are restricted only by their Admin profile.

• Domain

  The administrator can only access areas that are specifically assigned to that protected domain. With a few exceptions, the administrator cannot access system-wide settings, files, statistics, nor most settings that can affect other protected domains, regardless of whether access to those items would otherwise be allowed by the administrator’s access profile. The administrator cannot access the CLI, nor the basic mode of the GUI For more information on the display modes of the GUI, see Basic mode versus advanced mode.

• Domain group

  With an advanced management license, domain groups can be created and used to allocate domain-level administrators to potentially manage multiple domains, and all log entries associated with their domains. Domain-level administrators can search history logs, with the results filtered based on the user's domain.

  There are exceptions. Domain administrators can configure IP-based policies, the global block list, the global safe list, the blocklist action, and the global Bayesian database. If you do not want to allow this, do not provide Read-Write permission to those categories in the Admin profile for domain administrators.

Areas of the GUI that domain administrators cannot access

Monitor except: Personal Quarantine Log (with advanced management license) Domain Quarantine (with advanced management license)

System except for: Administrator

Domain & User except: Domain, including its subdomains and associated domains Address Map User Alias User > User Preference User > Imported User (with advanced management license) User Import Profile (with advanced management license)

Policy except: Recipient Policy > Inbound Recipient Policy > Outbound

Profile except: AntiSpam AntiVirus Content File Filter Resource Authentication Dictionary Email Group Notification

Security except: Block/Safe List > Domain Block/Safe List > Personal Option > Bayesian

Encryption

Data Loss Prevention

Email Archiving

Log & Report

The Admin profile defines the permissions that administrator accounts have to each area of the FortiMail software. Exact effects vary by the combination with the Access level of the administrator account.

Permission	Access level: System	Access level: Domain
Administrator (also known as all)	View, create, and change all other administrator accounts except the admin administrator account Change another administrator’s password using the current password. The admin account can also reset unknown passwords. See About the “admin” account. View and change all parts of the FortiMail unit’s configuration, including uploading configuration backup files and restoring firmware default settings Release and delete quarantined email messages for all protected domains Back up and restore databases Manually update firmware and antivirus definitions Restart and shut down the FortiMail unit	View, delete, and change other administrator accounts with Read/Write and Read permissions in the same protected domain, but cannot create new accounts View and change settings, including profiles and policies, only in its own protected domain and elsewhere if permitted View profiles and policies created by an administrator whose Access level is System
Read/Write	View and change its own administrator account settings View and change parts of the FortiMail unit’s configuration for all protected domains, and the FortiMail unit itself Release and delete quarantined email messages for all protected domains Back up and restore databases	View and change its own administrator account settings View and change parts of the FortiMail unit’s configuration only in the same protected domain View profiles and policies created by an administrator whose Access level is System Release and delete quarantined email messages in the same protected domain.
Read/Update
Read	View and change only that administrator account's own settings View the FortiMail unit configuration for all protected domains, and the FortiMail unit itself Back up databases For Monitor > Quarantine, Mail Queue, and Archive categories, administrators with either Read privileges or better can view email contents if Content detail is enabled	View and change only that administrator account's own settings View settings only in the same protected domain. View profiles and policies created by an administrator whose Access level is System
Custom	Permissions vary by which is selected (Read etc.) in each area. For Monitor > Quarantine, Mail Queue, and Archive, you can select action-specific permissions. If Content detail is enabled, administrators with Read privileges or better can view email contents. For Monitor > Quarantine > System Quarantine, you can assign either All folders or some folders to the administrator. By default, all folders are assigned. To change the setting, click on All folders. In the popup box, disable All folders, and then move the folders from the Available list to the Members list.

About the “admin” account

Unlike other administrator accounts whose Admin profile is super_admin_prof and Access level is System, the admin administrator account exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. Its name, permissions, and assignment to the System domain cannot be changed.

The admin administrator account always has full permission to view and change all FortiMail configuration options, including viewing and changing all other administrator accounts. It is the only administrator account that can reset another administrator’s password without having to enter the existing password. As such, it is the only account that can reset another administrator’s password if the existing password is unknown or forgotten (Other administrators can change an administrator’s password if they know the current password).

About the “remote_wildcard” account

You can use the wildcard administrator account so that many accounts from a RADIUS or LDAP server can log onto FortiMail.

To achieve this, you can use the preconfigured account named remote_wildcard account.

1. Go to System > Administrator > Administrator.
2. Double click the built-in account named remote_wildcard.

3. Configure the settings (see Configuring administrator accounts) and click OK.

   In Authentication type, select RADIUS or LDAP. The name, remote_wildcard, is not editable.

Configuring administrator accounts

The Administrator tab displays a list of the FortiMail unit’s administrator accounts and the trusted host IP addresses that administrators are allowed to use to log in (if configured).

By default, FortiMail units have one administrator account, admin. For more granular control over administrative access, you can create more administrator accounts that are restricted to a specific protected domain and permissions. For details, see About administrator account permissions and domains.

Depending on the type of your FortiMail administrator account, this list may not display all administrator accounts.

• For the admin superuser, all administrators will be displayed.
• For administrators with the access profile named super_admin_prof, all administrators except for admin will be displayed.
• For all other administrators, only the administrators who are not using the super_admin_prof access profile will be displayed.

If you configured a system quarantine administrator account, this account does not appear in the list of standard FortiMail administrator accounts. For details, see Configuring the system quarantine setting.

To configure administrator accounts

1. Go to System > Administrator > Administrator.

2. Either click New to add an account or double-click an account to modify it.

3. Configure the following and then click Create:

   GUI item	Description
   Enable	Enable or disable the account. If disabled, the account cannot access FortiMail.
   Administrator	Enter the name for this administrator account. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), hyphens ( - ), and underscores ( _ ). Other special characters and spaces are not allowed.
   Access level	Select the scope of the administrator account: System Domain Domain Group For details, see About administrator account permissions and domains and Configuring protected domains. If Access level is Domain, the administrator cannot use the CLI nor the basic mode of the GUI.
   Domain	Select the name of a protected domain. This setting is available only if Access level is Domain.
   Domain Group	Select the name of a group of protected domains. This setting is available only if Access level is Domain group.
   Admin profile	Select the name of an administrator profile that determines which functional areas the administrator account may view or affect. Click New to create a new profile or Edit to modify the selected profile. For details, see Configuring administrator profiles.
   Access mode	Select the allowed access methods: CLI, GUI, and/or REST API. For information on restricting administrative access protocols that can be used by administrator computers, see Editing network interfaces.
   Authentication type	Select the local or remote type of authentication that the administrator will use: Local RADIUS PKI LDAP Single Sign On Except for Local, most types require that you configure an authentication profile with associated settings. See Configuring authentication profiles and Configuring PKI authentication. The GUI login page may not include all types, depending on what you select when customizing the appearance. See the FortiMail CLI Reference.
   Password	Enter a secure password for this administrator account. The password can contain any character except spaces. If you are changing your own password, the new password cannot be the same as the old one. After you change the password, you must log in again. However, if you are changing other administrators’ passwords, these rules do not apply. This setting is only available when Authentication type is Local.
   Confirm password	Enter this account’s password again to confirm it. This setting is only available when Authentication type is Local.
   RADIUS profile	If you selected the RADIUSor RADIUS + Local authentication type, select the name of the RADIUS profile that you want to use.
   PKI profile	If you selected the PKI authentication type, select the name of the PKI profile that you want to use.
   LDAP profile	If you selected the LDAP authentication type, select the name of the LDAP profile that you want to use.
   Single sign on profile	If you selected the Single Sign On authentication type, select the name of the SSO profile that you want to use.
   Trusted host	Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts. If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0. Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0. For additional security, restrict all trusted host entries to administrator computers on your trusted private network. For information on restricting administrative access protocols that can be used by administrator computers, see Editing network interfaces.
   Language	Select this administrator account’s preference for the display language of the GUI. This setting overrides the default language configured under System > Customization > Appearance. See Customizing the GUI appearance.
   Theme	Select this administrator account’s preference for the display theme. This setting overrides the default theme configured under System > Customization > Appearance. See Customizing the GUI appearance.

Configuring administrator profiles

The Admin Profile tab displays a list of access profiles.

Administrator profiles, in conjunction with the Access level to which an administrator account is assigned, govern which areas of the GUI and CLI that an administrator can access, and whether or not they have the permissions to change the configuration or modify items in each area.

To configure an administrator account profile

1. Go to System > Administrator > Admin Profile.

   GUI item	Description
   Name	Displays the name of the administrator access profile.
   Comment	Displays an optional description of the administrator access profile.
   Ref.	Indicates whether or not the profile is being used in one or more administrator accounts. Click to show the list of referenced entities. The access profile named super_admin_prof is required by the administrator account named admin, and cannot be deleted.

2. Either click New to add an account or double-click an access profile to modify it.

3. In Profile name, enter the name for this access profile.

4. For each row in the Access Control column, select the permissions such as Read/Write to grant to administrator accounts associated with this access profile. For more granular control of permissions, select Custom. For details, see About administrator account permissions and domains.

5. Optionally, select the Privilege level:

   • Low: No access to diagnose and config system xxx commands in the CLI.
   • Medium: Normal access except for super admin privileges. This is the default setting.
   • High: Same as medium.