Fortinet black logo

User Guide

Device access restrictions

24.1.0
Copy Link
Copy Doc ID af1daa65-c273-11ec-9fd1-fa163e15d75b:187605
Download PDF

Device access restrictions

Device Tags can be used to further limit access of accounts.

If an account has no tags defined, it can see all devices.

Affected features

  • Devices view

  • Zones view

  • Device Tags view

  • Backups view

  • Config search view

  • Mass config push view

  • Credentials > Show usage

  • Schedules > Show scheduled tasks

  • Other settings > Per-Tag connectors

  • Other settings > Sensitive data stripping

Assigning tags to devices

We can create as many tags as needed using the Add button in the Device tags table.

After a tag is created, we can tag devices with this tag using the Tag devices table.
Selecting a tag and pressing Un-tag devices will allow us to remove devices from this tag.
(if an account is already access-limited by tags, they can only Tag/Untag devices with tags they have access to)

On the Devices view, you can also see a clickable Tag icon which allows for tagging/untagging devices.

Tagging devices from Zones

Zones can add tags to all devices that belong to the Zone.
To use this, simply add a tag to a zone in the Zones view, and all devices in that zone will be tagged with the selected tag(s)

Assigning tags to accounts

Tags can be applied for access restrictions to any account, to limit the access of that account only to devices with that tag.
If tags are applied to an account, the account can also only see zones that also have this tag applied in the Zones view.

By default, users have access to all devices present in the NCM.

You can add tag limitations to accounts in the Device access table in User management.
To do this, create rules (account / tag bindings). You can add as many rules as needed to achieve proper access separation.

Usage example

We want user 'Bob' to only have access to the WiFi APs in NCM.
For example, when Bob does a Config search for 'password', he would see results only in configs of the APs.

First we create user 'Bob' with 'Read-only' access role.

Next we create the 'APs' device tag in Device tag" screen.
After the tag is created, we give access to the devices with the 'APs' tag to Bob.
We navigate to User management > Device access, click Add and add to Bob's account the 'APs' tag.

Now we need to tag the right devices with the 'APs' tag.
In Device tags screen, we select the tag, and select Tag devices.
We add the tag to the appropriate devices.

After this, our 'Bob' user will only see the devices that are tagged with the 'APs' tag when using Config search, or any other NCM features.

Device access restrictions

Device Tags can be used to further limit access of accounts.

If an account has no tags defined, it can see all devices.

Affected features

  • Devices view

  • Zones view

  • Device Tags view

  • Backups view

  • Config search view

  • Mass config push view

  • Credentials > Show usage

  • Schedules > Show scheduled tasks

  • Other settings > Per-Tag connectors

  • Other settings > Sensitive data stripping

Assigning tags to devices

We can create as many tags as needed using the Add button in the Device tags table.

After a tag is created, we can tag devices with this tag using the Tag devices table.
Selecting a tag and pressing Un-tag devices will allow us to remove devices from this tag.
(if an account is already access-limited by tags, they can only Tag/Untag devices with tags they have access to)

On the Devices view, you can also see a clickable Tag icon which allows for tagging/untagging devices.

Tagging devices from Zones

Zones can add tags to all devices that belong to the Zone.
To use this, simply add a tag to a zone in the Zones view, and all devices in that zone will be tagged with the selected tag(s)

Assigning tags to accounts

Tags can be applied for access restrictions to any account, to limit the access of that account only to devices with that tag.
If tags are applied to an account, the account can also only see zones that also have this tag applied in the Zones view.

By default, users have access to all devices present in the NCM.

You can add tag limitations to accounts in the Device access table in User management.
To do this, create rules (account / tag bindings). You can add as many rules as needed to achieve proper access separation.

Usage example

We want user 'Bob' to only have access to the WiFi APs in NCM.
For example, when Bob does a Config search for 'password', he would see results only in configs of the APs.

First we create user 'Bob' with 'Read-only' access role.

Next we create the 'APs' device tag in Device tag" screen.
After the tag is created, we give access to the devices with the 'APs' tag to Bob.
We navigate to User management > Device access, click Add and add to Bob's account the 'APs' tag.

Now we need to tag the right devices with the 'APs' tag.
In Device tags screen, we select the tag, and select Tag devices.
We add the tag to the appropriate devices.

After this, our 'Bob' user will only see the devices that are tagged with the 'APs' tag when using Config search, or any other NCM features.