Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Mappings process

Admin Profile Mappings establishes a profile for Administrative Users who are members of a particular Administrator Group. Admin Profile Mappings are ranked so that if an Administrative User is a member of more than one group, FortiNAC can determine which Admin Profile should be applied to the user.

Example:

  1. Administrative User John is in Group A and Group B.
  2. Group A is mapped to a Guest Sponsor Profile and Ranked #5.
  3. Group B is mapped to a Device Manager Profile and Ranked #2.
  4. FortiNAC associates John with the Device Manager Profile because that mapping is higher in Rank and is the first match for John.
Note

Adding an Administrative User to a Group that has an Admin Profile mapped can change the Admin Profile applied to that user.

Admin Profiles are only applied to members of an Administrator Group when the Administrative User is added to the group or deleted from a higher ranking group. The Administrative User could be added to the group manually or on directory resynchronization. Review the scenarios below for information on the behavior of Admin Profile Mappings.

Administrative user added to a group manually

  • An existing Administrative User is added to Administrator Group A that is mapped to Admin Profile C. The user is not in any other Administrator groups. The Administrative User's profile is updated to Profile C because it is mapped to Group A.
  • An existing Administrative User is added manually to Administrator Group A that is mapped to Admin Profile C. The user is also in Administrator Groups B and C, but the new group A is ranked higher in the Admin Profile Mappings list and the new Admin Profile C is assigned.

Administrative user added to a group based on directory group membership

  • Admin Users are created automatically in FortiNAC when users authenticate to the Directory and then access FortiNAC through the Admin UI or by registering a host. The users are then assigned group membership according to their Directory groups.

    Possible scenarios that create Admin Users automatically are:

    • If a user exists in the directory, for example jdoe, but the user is not a user of any kind in FortiNAC, when jdoe logs into the FortiNAC User Interface using a directory user id and password, a user "jdoe" is created in FortiNAC as an Administrator user.
    • If a user exists in the directory, for example asmith, but the user is not a user of any kind in FortiNAC, when asmith registers a host via FortiNAC, a user for asmith, of type "user" is created. Then, when the Directory Synchronization task runs, asmith becomes an administrator user in FortiNAC.
    • If a user exists in the directory, for example tjones, but the user is not a user of any kind in FortiNAC, when tjones registers a host via FortiNAC, a user for tjones, of type "user" is created. If, before the Directory Synchronization task runs, the user logs into the FortiNAC Admin UI, the tjones user will transition to be an Administrator user at that time (i.e., not waiting for the Directory Sync.)
  • When the Directory Synchronization is run, users are added to FortiNAC Administrator Groups that match the groups in the Directory. Adding Admin Users to a group triggers an evaluation of Admin Profile Mappings. If the Admin User is in multiple Directory groups, the user will be assigned to multiple groups in FortiNAC, and the Admin Profile will be assigned according to the Admin Profile ranking.
Note

When an Admin Group is created in FortiNAC with the same name as a group being synchronized from a Directory, the Admin Group members will remain the same as the Directory group members. Therefore, if you add a non-Directory user to the Admin Group and then synchronize the Directory, the non-Directory user is removed from the Admin Group because the user is not a member of the Directory group.

Modify ranks of admin profile mappings

  • The order of the Admin Profile Mapping records is changed modifying the ranking. A scheduled directory synchronization runs. Administrative Users' groups are updated each time the synchronization is run causing the Admin Profile Mappings to be analyzed again. Since the ranking has changed, some Administrative Users that are members of more than one group are assigned different Admin Profiles based on the new ranking.
  • The order of the Admin Profile Mapping records is changed modifying the ranking. No directory is being used. Administrative Users continue to have the same Admin User Profiles because there is no mechanism to trigger a re-evaluation of group membership.

Administrative user deleted from a group manually

  • An existing Administrative User is deleted from Administrator Group A that is mapped to Admin Profile C. The user is a member of Groups B and C mapped to Profiles D and F. A new profile is assigned based on one of the other groups used in the Admin Profile Mapping with the highest rank.

    Administrator Group B is mapped to Admin Profile D. Administrator Group C is mapped to Admin Profile F. The mapping for Group B has the highest rank, therefore the Administrative User's profile us updated to Admin Profile D.

  • An existing Administrative User is deleted from Group A that is mapped to an Admin Profile C. The user is not a member of any other group mapped to a profile. The user's Admin Profile C is completely removed. The user loses his Admin User status and becomes only a regular network user under Users > Users View. To restore the user to an Admin User you must add the Admin User again with the same user ID and assign an Admin Profile.

Administrative user deleted from a group in the directory

  • An existing Administrative User is deleted from Administrator Group A in the Directory. The directory resynchronizes with FortiNAC which deletes the Administrative user from Group A that is mapped to Admin Profile C. The user is a member of Groups B and C mapped to Profiles D and F. A new profile is assigned based on one of the other groups used in the Admin Profile Mapping with the highest rank.

    Administrator Group B is mapped to Admin Profile D. Administrator Group C is mapped to Admin Profile F. The mapping for Group B has the highest rank, therefore the Administrative User's profile us updated to Admin Profile D.

  • An existing Administrative User is deleted from Administrator Group A in the Directory. The directory resynchronizes with FortiNAC which deletes the Administrative user from Group A that is mapped to Admin Profile C. The user is not a member of any other group mapped to a profile. The user's Admin Profile C is completely removed. The user loses his Admin User status and becomes only a regular network user under Users > Users View. To restore the user to an Admin User you must add the Admin User again with the same user ID and assign an Admin Profile.

Administrator group is deleted from FortiNAC

  • An existing Administrative User is in Group A that is mapped to Admin Profile C. The user is not a member of any other group mapped to a profile. Group A is deleted from the Groups View. The user's Admin Profile C is completely removed. The user loses his Admin User status and becomes only a regular network user under Users > Users View. To restore the user to an Admin User you must add the Admin User again with the same user ID and assign an Admin Profile.

Admin profile mapping is deleted from FortiNAC

  • Administrative Users are not affected when an Admin Profile Mapping is deleted from the data base until a user is added to or deleted from a Group. If the group is no longer mapped their profile is not updated. If the group continues to be mapped, their profile is updated as described in the previous scenarios.
Note

When groups are nested within a parent group, admin profiles must be mapped to the groups that contain the users, and not the parent group only.

Note

Changing the Ranking on existing Admin Profile Mapping records does not change profiles on Administrative Users unless those users are in the directory and the directory is resynchronized.

Note

Adding a new Admin Profile Mapping does not affect existing Administrative Users until the directory is resynchronized or a user's membership in a mapped group changes.

Note

If you are not using a directory there is no mechanism for Administrative Users to be reevaluated.

Mappings process

Admin Profile Mappings establishes a profile for Administrative Users who are members of a particular Administrator Group. Admin Profile Mappings are ranked so that if an Administrative User is a member of more than one group, FortiNAC can determine which Admin Profile should be applied to the user.

Example:

  1. Administrative User John is in Group A and Group B.
  2. Group A is mapped to a Guest Sponsor Profile and Ranked #5.
  3. Group B is mapped to a Device Manager Profile and Ranked #2.
  4. FortiNAC associates John with the Device Manager Profile because that mapping is higher in Rank and is the first match for John.
Note

Adding an Administrative User to a Group that has an Admin Profile mapped can change the Admin Profile applied to that user.

Admin Profiles are only applied to members of an Administrator Group when the Administrative User is added to the group or deleted from a higher ranking group. The Administrative User could be added to the group manually or on directory resynchronization. Review the scenarios below for information on the behavior of Admin Profile Mappings.

Administrative user added to a group manually

  • An existing Administrative User is added to Administrator Group A that is mapped to Admin Profile C. The user is not in any other Administrator groups. The Administrative User's profile is updated to Profile C because it is mapped to Group A.
  • An existing Administrative User is added manually to Administrator Group A that is mapped to Admin Profile C. The user is also in Administrator Groups B and C, but the new group A is ranked higher in the Admin Profile Mappings list and the new Admin Profile C is assigned.

Administrative user added to a group based on directory group membership

  • Admin Users are created automatically in FortiNAC when users authenticate to the Directory and then access FortiNAC through the Admin UI or by registering a host. The users are then assigned group membership according to their Directory groups.

    Possible scenarios that create Admin Users automatically are:

    • If a user exists in the directory, for example jdoe, but the user is not a user of any kind in FortiNAC, when jdoe logs into the FortiNAC User Interface using a directory user id and password, a user "jdoe" is created in FortiNAC as an Administrator user.
    • If a user exists in the directory, for example asmith, but the user is not a user of any kind in FortiNAC, when asmith registers a host via FortiNAC, a user for asmith, of type "user" is created. Then, when the Directory Synchronization task runs, asmith becomes an administrator user in FortiNAC.
    • If a user exists in the directory, for example tjones, but the user is not a user of any kind in FortiNAC, when tjones registers a host via FortiNAC, a user for tjones, of type "user" is created. If, before the Directory Synchronization task runs, the user logs into the FortiNAC Admin UI, the tjones user will transition to be an Administrator user at that time (i.e., not waiting for the Directory Sync.)
  • When the Directory Synchronization is run, users are added to FortiNAC Administrator Groups that match the groups in the Directory. Adding Admin Users to a group triggers an evaluation of Admin Profile Mappings. If the Admin User is in multiple Directory groups, the user will be assigned to multiple groups in FortiNAC, and the Admin Profile will be assigned according to the Admin Profile ranking.
Note

When an Admin Group is created in FortiNAC with the same name as a group being synchronized from a Directory, the Admin Group members will remain the same as the Directory group members. Therefore, if you add a non-Directory user to the Admin Group and then synchronize the Directory, the non-Directory user is removed from the Admin Group because the user is not a member of the Directory group.

Modify ranks of admin profile mappings

  • The order of the Admin Profile Mapping records is changed modifying the ranking. A scheduled directory synchronization runs. Administrative Users' groups are updated each time the synchronization is run causing the Admin Profile Mappings to be analyzed again. Since the ranking has changed, some Administrative Users that are members of more than one group are assigned different Admin Profiles based on the new ranking.
  • The order of the Admin Profile Mapping records is changed modifying the ranking. No directory is being used. Administrative Users continue to have the same Admin User Profiles because there is no mechanism to trigger a re-evaluation of group membership.

Administrative user deleted from a group manually

  • An existing Administrative User is deleted from Administrator Group A that is mapped to Admin Profile C. The user is a member of Groups B and C mapped to Profiles D and F. A new profile is assigned based on one of the other groups used in the Admin Profile Mapping with the highest rank.

    Administrator Group B is mapped to Admin Profile D. Administrator Group C is mapped to Admin Profile F. The mapping for Group B has the highest rank, therefore the Administrative User's profile us updated to Admin Profile D.

  • An existing Administrative User is deleted from Group A that is mapped to an Admin Profile C. The user is not a member of any other group mapped to a profile. The user's Admin Profile C is completely removed. The user loses his Admin User status and becomes only a regular network user under Users > Users View. To restore the user to an Admin User you must add the Admin User again with the same user ID and assign an Admin Profile.

Administrative user deleted from a group in the directory

  • An existing Administrative User is deleted from Administrator Group A in the Directory. The directory resynchronizes with FortiNAC which deletes the Administrative user from Group A that is mapped to Admin Profile C. The user is a member of Groups B and C mapped to Profiles D and F. A new profile is assigned based on one of the other groups used in the Admin Profile Mapping with the highest rank.

    Administrator Group B is mapped to Admin Profile D. Administrator Group C is mapped to Admin Profile F. The mapping for Group B has the highest rank, therefore the Administrative User's profile us updated to Admin Profile D.

  • An existing Administrative User is deleted from Administrator Group A in the Directory. The directory resynchronizes with FortiNAC which deletes the Administrative user from Group A that is mapped to Admin Profile C. The user is not a member of any other group mapped to a profile. The user's Admin Profile C is completely removed. The user loses his Admin User status and becomes only a regular network user under Users > Users View. To restore the user to an Admin User you must add the Admin User again with the same user ID and assign an Admin Profile.

Administrator group is deleted from FortiNAC

  • An existing Administrative User is in Group A that is mapped to Admin Profile C. The user is not a member of any other group mapped to a profile. Group A is deleted from the Groups View. The user's Admin Profile C is completely removed. The user loses his Admin User status and becomes only a regular network user under Users > Users View. To restore the user to an Admin User you must add the Admin User again with the same user ID and assign an Admin Profile.

Admin profile mapping is deleted from FortiNAC

  • Administrative Users are not affected when an Admin Profile Mapping is deleted from the data base until a user is added to or deleted from a Group. If the group is no longer mapped their profile is not updated. If the group continues to be mapped, their profile is updated as described in the previous scenarios.
Note

When groups are nested within a parent group, admin profiles must be mapped to the groups that contain the users, and not the parent group only.

Note

Changing the Ranking on existing Admin Profile Mapping records does not change profiles on Administrative Users unless those users are in the directory and the directory is resynchronized.

Note

Adding a new Admin Profile Mapping does not affect existing Administrative Users until the directory is resynchronized or a user's membership in a mapped group changes.

Note

If you are not using a directory there is no mechanism for Administrative Users to be reevaluated.