Fortinet black logo

Administration Guide

Roles

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:8698
Download PDF

Roles

This view allows you to setup Role Names. Roles are assigned to Users, Hosts and Devices. For hosts managed in the Host View and users roles are attributes that are used in User/Host Profiles as filters. For devices and hosts managed in Topology View, such as a printer, roles are used to control network access based on where they connect. If you are using roles to control network access for hosts and devices you must also configure Network Device Roles to provide a set of connection instructions for role and device or port group combinations.

For example, if Role A is assigned to all of the printers in the Accounting Department, then when a printer connects to a port in the accounting office, the Network Device Role for accounting office ports is configured to move them to VLAN 10.

In the case of a host managed in the Host View, if Role B is assigned to that host, then when the host connects to a port in the accounting office, FortiNAC reviews the Network Access Policies until it finds a policy for a host with Role B connected to accounting ports based on the User/Host Profile in the policy.

Roles can be assigned in many different ways. In the case of the Roles View, roles are assigned based on directory groups or FortiNAC groups. When a user or a host is added to a group, FortiNAC searches the list of roles for a match starting with the role ranked number 1. When a match is found, the role is assigned to the user or the host. In the case of directory attributes, when a user is registered and FortiNAC checks the list of roles, a role with a name that exactly matches the attribute will be assigned to the user if it is the first piece of data about the user that matches the role criteria.

Note

Roles created on the FortiNAC server will be ranked above global roles created on the NCM. The rank of a local role can be adjusted above or below another local role, but cannot be ranked below a global role. The rank for a global role cannot be modified from the FortiNAC server.

For additional information on all methods for role assignment, see Assigning roles.

See Navigation and Filters for information on common navigation tools and data filters.

Settings

Field

Definition

Rank Buttons

Moves the selected role up or down in the list. Users and hosts are compared to roles in order by rank.

Set Rank Button

Allows you to type a different rank number for a selected role and immediately move the role to that position. In an environment with a large number of roles, this process is faster than using the up and down Rank buttons.

Name

Name of the role. If you are assigning roles based on the directory attribute specified in Attribute Mappings in the Role field, the name of the role in the Roles View must match the data in the user's directory attribute. For example, if the directory attribute is department and the user's field is set to Accounting, then the role name must be Accounting in order to match.

Groups

One or more groups whose members will be assigned to this role. List includes Groups both in FortiNAC and in the Directory, if one is being used with FortiNAC.

If no groups are selected, None is displayed in this field. This effectively disables the role for group assignment. However, the role can still be assigned manually, by Device Profiler or through the Captive Portal.

Note

User specified note field. This field may contain notes regarding the conversion of roles from a previous version of FortiNAC.

Last Modified By

User name of the last user to modify the role. SYSTEM indicates that the role was modified by FortiNAC itself.

Last Modified Date

Date and time of the last modification to this role

Right click options

Export

Exports data to a file in the default downloads location. File types include CSV, Excel, PDF or RTF. See Export data.

Copy

Copy the selected Role to create a new record.

Delete

Deletes the selected Role. Roles that are currently in use cannot be deleted.

In Use

Indicates whether or not the selected role is currently being used by any other FortiNAC element. See Role in use.

Modify

Opens the Modify Role window for the selected role.

Show Audit Log

Opens the Admin Auditing Log showing all changes made to the selected item.

For information about the Admin Auditing Log, see Admin auditing.

Note

You must have permission to view the Admin Auditing Log. See Add an admin profile.

Roles

This view allows you to setup Role Names. Roles are assigned to Users, Hosts and Devices. For hosts managed in the Host View and users roles are attributes that are used in User/Host Profiles as filters. For devices and hosts managed in Topology View, such as a printer, roles are used to control network access based on where they connect. If you are using roles to control network access for hosts and devices you must also configure Network Device Roles to provide a set of connection instructions for role and device or port group combinations.

For example, if Role A is assigned to all of the printers in the Accounting Department, then when a printer connects to a port in the accounting office, the Network Device Role for accounting office ports is configured to move them to VLAN 10.

In the case of a host managed in the Host View, if Role B is assigned to that host, then when the host connects to a port in the accounting office, FortiNAC reviews the Network Access Policies until it finds a policy for a host with Role B connected to accounting ports based on the User/Host Profile in the policy.

Roles can be assigned in many different ways. In the case of the Roles View, roles are assigned based on directory groups or FortiNAC groups. When a user or a host is added to a group, FortiNAC searches the list of roles for a match starting with the role ranked number 1. When a match is found, the role is assigned to the user or the host. In the case of directory attributes, when a user is registered and FortiNAC checks the list of roles, a role with a name that exactly matches the attribute will be assigned to the user if it is the first piece of data about the user that matches the role criteria.

Note

Roles created on the FortiNAC server will be ranked above global roles created on the NCM. The rank of a local role can be adjusted above or below another local role, but cannot be ranked below a global role. The rank for a global role cannot be modified from the FortiNAC server.

For additional information on all methods for role assignment, see Assigning roles.

See Navigation and Filters for information on common navigation tools and data filters.

Settings

Field

Definition

Rank Buttons

Moves the selected role up or down in the list. Users and hosts are compared to roles in order by rank.

Set Rank Button

Allows you to type a different rank number for a selected role and immediately move the role to that position. In an environment with a large number of roles, this process is faster than using the up and down Rank buttons.

Name

Name of the role. If you are assigning roles based on the directory attribute specified in Attribute Mappings in the Role field, the name of the role in the Roles View must match the data in the user's directory attribute. For example, if the directory attribute is department and the user's field is set to Accounting, then the role name must be Accounting in order to match.

Groups

One or more groups whose members will be assigned to this role. List includes Groups both in FortiNAC and in the Directory, if one is being used with FortiNAC.

If no groups are selected, None is displayed in this field. This effectively disables the role for group assignment. However, the role can still be assigned manually, by Device Profiler or through the Captive Portal.

Note

User specified note field. This field may contain notes regarding the conversion of roles from a previous version of FortiNAC.

Last Modified By

User name of the last user to modify the role. SYSTEM indicates that the role was modified by FortiNAC itself.

Last Modified Date

Date and time of the last modification to this role

Right click options

Export

Exports data to a file in the default downloads location. File types include CSV, Excel, PDF or RTF. See Export data.

Copy

Copy the selected Role to create a new record.

Delete

Deletes the selected Role. Roles that are currently in use cannot be deleted.

In Use

Indicates whether or not the selected role is currently being used by any other FortiNAC element. See Role in use.

Modify

Opens the Modify Role window for the selected role.

Show Audit Log

Opens the Admin Auditing Log showing all changes made to the selected item.

For information about the Admin Auditing Log, see Admin auditing.

Note

You must have permission to view the Admin Auditing Log. See Add an admin profile.