Fortinet black logo

Administration Guide

Set admin privileges based on directory groups

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:317331
Download PDF

Set admin privileges based on directory groups

To provide access to the FortiNAC user interface you can place Administrative Users in special groups that set the appropriate privileges. Typically this is done for users in your Directory, by placing them in special groups within the directory that correspond to matching groups in FortiNAC. When the Directory is synchronized with FortiNAC, users in the appropriate groups will be given Administrator or Administrative privileges based on their group settings and the Admin Profile Mapping that matches the user's group.

Note

The Domain Users Group cannot be used to set Admin privileges because user details for users in that group are not populated in FortiNAC when a directory synchronization is done.

Note

When an Admin Group is created in FortiNAC with the same name as a group being synchronized from a Directory, the Admin Group members will remain the same as the Directory group members. Therefore, if you add a non-Directory user to the Admin Group and then synchronize the Directory, the non-Directory user is removed from the Admin Group because the user is not a member of the Directory group.

Implementation

Directory
  • Integrate your Directory with FortiNAC. See Authentication directories for configuration and integration information.
  • Temporarily disable the Directory Synchronization task in the FortiNAC Scheduler to prevent the synchronization from pulling directory information before the setup is complete. See Scheduler view.
  • If you want to send e-mail to Admin users, make sure to map the e-mail field in your directory to the e-mail field in FortiNAC. To set up this mapping go to System > Settings > Authentication > LDAP. Select the directory and click Modify. Select the Attribute Mappings tab and make sure that the e-mail field is configured. This setting allows users to receive e-mails based on Device Profiling settings, Guest Manager settings, and event to alarm mappings based on group membership.
  • Create groups in the directory for each set of administrator privileges you wish to grant. For example, if you want to have Administrative Users with full rights to FortiNAC and Administrative Users who are just Sponsors for guest access, create two groups in the directory, one for each type of Administrative Users. Add the appropriate Administrative Users to the new groups.
  • Make sure the new groups are selected to be included when the directory and FortiNAC are synchronized. To select the groups go to System > Settings > Authentication > LDAP. Select the directory and click Modify. Click the Select groups tab and review the selected groups
FortiNAC
  • All Administrative Users require an Admin Profile that provides permissions. Create the appropriate Admin User Profiles first. See Admin profiles and permissions.
  • Go to the Groups View and create Administrator groups to contain the users who will be given access to FortiNAC. The group name must be absolutely identical to the name of the group in the directory.
  • Since groups automatically brought over from the directory are typically Host groups, you must create the Administrator groups manually. If a group already exists with the name of one of the Administrator groups, you must delete that group and add it again as an Administrator group.
  • Map Administrator Groups to Admin Profiles. These mappings allow FortiNAC to determine the Admin Profile that should be associated with an Administrative User based on the group that contains that user. Mappings are ranked and Administrative Users are associated with the first mapping they match. See Admin profile mappings.

    Example:

    • Administrative User John is in Group A and Group B.
    • Group A is mapped to a Guest Sponsor Profile and Ranked #5.
    • Group B is mapped to a Device Manager Profile and Ranked #2.
    • FortiNAC associates John with the Device Manager Profile because that mapping has a higher Rank and is the first match for John.
  • Go to the Scheduler View in FortiNAC and enable the Directory Synchronization task. Run the task to update the groups. Users that have already registered in FortiNAC are updated immediately. New users that are not in the FortiNAC database but do exist in the Directory are added to FortiNACgroups when they log into the Admin User Interface the first time.
  • Go to the Groups View and verify that the correct users have been placed in each group. See Groups view.
  • Go to the Admin Users View and verify that the Admin User Profile is correct for each user. See Admin users.
Note

If the root account for FortiNAC is placed in a group with an Admin User Profile other than the Administrator Profile, the Admin Profile of this account will change. This could potentially leave you without a root or admin login that provides access to the entire FortiNAC product.

Note

Aging for new Administrative Users created by being added to a directory group is determined by Global Aging settings. See Aging and Aging out host or user records.

Set admin privileges based on directory groups

To provide access to the FortiNAC user interface you can place Administrative Users in special groups that set the appropriate privileges. Typically this is done for users in your Directory, by placing them in special groups within the directory that correspond to matching groups in FortiNAC. When the Directory is synchronized with FortiNAC, users in the appropriate groups will be given Administrator or Administrative privileges based on their group settings and the Admin Profile Mapping that matches the user's group.

Note

The Domain Users Group cannot be used to set Admin privileges because user details for users in that group are not populated in FortiNAC when a directory synchronization is done.

Note

When an Admin Group is created in FortiNAC with the same name as a group being synchronized from a Directory, the Admin Group members will remain the same as the Directory group members. Therefore, if you add a non-Directory user to the Admin Group and then synchronize the Directory, the non-Directory user is removed from the Admin Group because the user is not a member of the Directory group.

Implementation

Directory
  • Integrate your Directory with FortiNAC. See Authentication directories for configuration and integration information.
  • Temporarily disable the Directory Synchronization task in the FortiNAC Scheduler to prevent the synchronization from pulling directory information before the setup is complete. See Scheduler view.
  • If you want to send e-mail to Admin users, make sure to map the e-mail field in your directory to the e-mail field in FortiNAC. To set up this mapping go to System > Settings > Authentication > LDAP. Select the directory and click Modify. Select the Attribute Mappings tab and make sure that the e-mail field is configured. This setting allows users to receive e-mails based on Device Profiling settings, Guest Manager settings, and event to alarm mappings based on group membership.
  • Create groups in the directory for each set of administrator privileges you wish to grant. For example, if you want to have Administrative Users with full rights to FortiNAC and Administrative Users who are just Sponsors for guest access, create two groups in the directory, one for each type of Administrative Users. Add the appropriate Administrative Users to the new groups.
  • Make sure the new groups are selected to be included when the directory and FortiNAC are synchronized. To select the groups go to System > Settings > Authentication > LDAP. Select the directory and click Modify. Click the Select groups tab and review the selected groups
FortiNAC
  • All Administrative Users require an Admin Profile that provides permissions. Create the appropriate Admin User Profiles first. See Admin profiles and permissions.
  • Go to the Groups View and create Administrator groups to contain the users who will be given access to FortiNAC. The group name must be absolutely identical to the name of the group in the directory.
  • Since groups automatically brought over from the directory are typically Host groups, you must create the Administrator groups manually. If a group already exists with the name of one of the Administrator groups, you must delete that group and add it again as an Administrator group.
  • Map Administrator Groups to Admin Profiles. These mappings allow FortiNAC to determine the Admin Profile that should be associated with an Administrative User based on the group that contains that user. Mappings are ranked and Administrative Users are associated with the first mapping they match. See Admin profile mappings.

    Example:

    • Administrative User John is in Group A and Group B.
    • Group A is mapped to a Guest Sponsor Profile and Ranked #5.
    • Group B is mapped to a Device Manager Profile and Ranked #2.
    • FortiNAC associates John with the Device Manager Profile because that mapping has a higher Rank and is the first match for John.
  • Go to the Scheduler View in FortiNAC and enable the Directory Synchronization task. Run the task to update the groups. Users that have already registered in FortiNAC are updated immediately. New users that are not in the FortiNAC database but do exist in the Directory are added to FortiNACgroups when they log into the Admin User Interface the first time.
  • Go to the Groups View and verify that the correct users have been placed in each group. See Groups view.
  • Go to the Admin Users View and verify that the Admin User Profile is correct for each user. See Admin users.
Note

If the root account for FortiNAC is placed in a group with an Admin User Profile other than the Administrator Profile, the Admin Profile of this account will change. This could potentially leave you without a root or admin login that provides access to the entire FortiNAC product.

Note

Aging for new Administrative Users created by being added to a directory group is determined by Global Aging settings. See Aging and Aging out host or user records.