Fortinet white logo
Fortinet white logo

Administration Guide

Mappings process

Mappings process

Administrator profile mappings establishes a profile for administrators who are members of a particular administrator group. Administrator profile mappings are ranked so that if an administrator is a member of more than one group, FortiNAC can determine which administrator profile should be applied to the user.

Example:
  1. Administrator John is in Group A and Group B.
  2. Group A is mapped to a guest sponsor profile and Ranked #5.
  3. Group B is mapped to a Device Manager Profile and Ranked #2.
  4. FortiNAC associates John with the Device Manager Profile because that mapping is higher in Rank and is the first match for John.
Note

Adding an administrator to a group that has an administrator profile mapped can change the administrator profile applied to that user.

Administrator profiles are only applied to members of an administrator group when the administrator is added to the group or deleted from a higher ranking group. The administrator could be added to the group manually or on directory resynchronization. Review the scenarios below for information on the behavior of administrator profile mappings.

Administrator added to a group manually

  • An existing administrator is added to administrator group A that is mapped to administrator profile C. The user is not in any other administrator groups. The administrator's profile is updated to profile C because it is mapped to group A.
  • An existing administrator is added manually to administrator group A that is mapped to administrator profile C. The user is also in administrator groups B and C, but the new group A is ranked higher in the administrator profile mappings list and the new administrator profile C is assigned.

Administrator added to a group based on directory group membership

  • Administrators are created automatically in FortiNAC when users authenticate to the directory and then access FortiNAC through the admin UI or by registering a host. The users are then assigned group membership according to their directory groups.

    Possible scenarios that create administrators automatically are:

    • If a user exists in the directory, for example jdoe, but the user is not a user of any kind in FortiNAC, when jdoe logs into the FortiNAC User Interface using a directory user id and password, a user "jdoe" is created in FortiNAC as an administrator.
    • If a user exists in the directory, for example asmith, but the user is not a user of any kind in FortiNAC, when asmith registers a host via FortiNAC, a user for asmith, of type "user" is created. Then, when the directory Synchronization task runs, asmith becomes an administrator user in FortiNAC.
    • If a user exists in the directory, for example tjones, but the user is not a user of any kind in FortiNAC, when tjones registers a host via FortiNAC, a user for tjones, of type "user" is created. If, before the directory Synchronization task runs, the user logs into the FortiNAC admin UI, the tjones user will transition to be an administrator at that time (i.e., not waiting for the directory sync.)
  • When the directory synchronization is run, users are added to FortiNAC administrator groups that match the groups in the directory. Adding administrators to a group triggers an evaluation of administrator profile mappings. If the administrator is in multiple directory groups, the user will be assigned to multiple groups in FortiNAC, and the administrator profile will be assigned according to the administrator profile ranking.
Note

When an administrator group is created in FortiNAC with the same name as a group being synchronized from a directory, the administrator group members will remain the same as the directory group members. Therefore, if you add a non-directory user to the administrator group and then synchronize the directory, the non-directory user is removed from the administrator group because the user is not a member of the directory group.

Modify ranks of administrator profile mappings

  • The order of the administrator profile mapping records is changed modifying the ranking. A scheduled directory synchronization runs. Administrators' groups are updated each time the synchronization is run causing the administrator profile mappings to be analyzed again. Since the ranking has changed, some administrators that are members of more than one group are assigned different administrator profiles based on the new ranking.
  • The order of the administrator profile mapping records is changed modifying the ranking. No directory is being used. Administrators continue to have the same administrator profiles because there is no mechanism to trigger a re-evaluation of group membership.

Administrator deleted from a group manually

  • An existing administrator is deleted from administrator group A that is mapped to administrator profile C. The user is a member of Groups B and C mapped to Profiles D and F. A new profile is assigned based on one of the other groups used in the administrator profile mapping with the highest rank.

    Administrator group B is mapped to administrator profile D. Administrator group C is mapped to administrator profile F. The mapping for Group B has the highest rank, therefore the administrator's profile us updated to administrator profile D.

  • An existing administrator is deleted from Group A that is mapped to an administrator profile C. The user is not a member of any other group mapped to a profile. The user's administrator profile C is completely removed. The user loses his administrator status and becomes only a regular network user under Users > User View. To restore the user to an administrator you must add the administrator again with the same user ID and assign an administrator profile.

Administrator deleted from a group in the directory

  • An existing administrator is deleted from administrator group A in the directory. The directory resynchronizes with FortiNAC which deletes the administrator from Group A that is mapped to administrator profile C. The user is a member of Groups B and C mapped to Profiles D and F. A new profile is assigned based on one of the other groups used in the administrator profile mapping with the highest rank.

    Administrator group B is mapped to administrator profile D. Administrator group C is mapped to administrator profile F. The mapping for Group B has the highest rank, therefore the administrator's profile us updated to administrator profile D.

  • An existing administrator is deleted from administrator group A in the directory. The directory resynchronizes with FortiNAC which deletes the administrator from Group A that is mapped to administrator profile C. The user is not a member of any other group mapped to a profile. The user's administrator profile C is completely removed. The user loses his administrator status and becomes only a regular network user under Users > User View. To restore the user to an administrator you must add the administrator again with the same user ID and assign an administrator profile.

Administrator group is deleted from FortiNAC

  • An existing administrator is in group A that is mapped to administrator profile C. The user is not a member of any other group mapped to a profile. Group A is deleted from the groups view. The user's administrator profile C is completely removed. The user loses his administrator status and becomes only a regular network user under Users > User View. To restore the user to an administrator you must add the administrator again with the same user ID and assign an administrator profile.

Administrator profile mapping is deleted from FortiNAC

  • Administrators are not affected when an administrator profile mapping is deleted from the data base until a user is added to or deleted from a Group. If the group is no longer mapped their profile is not updated. If the group continues to be mapped, their profile is updated as described in the previous scenarios.

When groups are nested within a parent group, administrator profiles must be mapped to the groups that contain the users, and not the parent group only.

Changing the ranking on existing administrator profile mapping records does not change profiles on administrators unless those users are in the directory and the directory is resynchronized.

Adding a new administrator profile mapping does not affect existing administrators until the directory is resynchronized or a user's membership in a mapped group changes.

If you are not using a directory, there is no mechanism for administrators to be reevaluated.

Mappings process

Mappings process

Administrator profile mappings establishes a profile for administrators who are members of a particular administrator group. Administrator profile mappings are ranked so that if an administrator is a member of more than one group, FortiNAC can determine which administrator profile should be applied to the user.

Example:
  1. Administrator John is in Group A and Group B.
  2. Group A is mapped to a guest sponsor profile and Ranked #5.
  3. Group B is mapped to a Device Manager Profile and Ranked #2.
  4. FortiNAC associates John with the Device Manager Profile because that mapping is higher in Rank and is the first match for John.
Note

Adding an administrator to a group that has an administrator profile mapped can change the administrator profile applied to that user.

Administrator profiles are only applied to members of an administrator group when the administrator is added to the group or deleted from a higher ranking group. The administrator could be added to the group manually or on directory resynchronization. Review the scenarios below for information on the behavior of administrator profile mappings.

Administrator added to a group manually

  • An existing administrator is added to administrator group A that is mapped to administrator profile C. The user is not in any other administrator groups. The administrator's profile is updated to profile C because it is mapped to group A.
  • An existing administrator is added manually to administrator group A that is mapped to administrator profile C. The user is also in administrator groups B and C, but the new group A is ranked higher in the administrator profile mappings list and the new administrator profile C is assigned.

Administrator added to a group based on directory group membership

  • Administrators are created automatically in FortiNAC when users authenticate to the directory and then access FortiNAC through the admin UI or by registering a host. The users are then assigned group membership according to their directory groups.

    Possible scenarios that create administrators automatically are:

    • If a user exists in the directory, for example jdoe, but the user is not a user of any kind in FortiNAC, when jdoe logs into the FortiNAC User Interface using a directory user id and password, a user "jdoe" is created in FortiNAC as an administrator.
    • If a user exists in the directory, for example asmith, but the user is not a user of any kind in FortiNAC, when asmith registers a host via FortiNAC, a user for asmith, of type "user" is created. Then, when the directory Synchronization task runs, asmith becomes an administrator user in FortiNAC.
    • If a user exists in the directory, for example tjones, but the user is not a user of any kind in FortiNAC, when tjones registers a host via FortiNAC, a user for tjones, of type "user" is created. If, before the directory Synchronization task runs, the user logs into the FortiNAC admin UI, the tjones user will transition to be an administrator at that time (i.e., not waiting for the directory sync.)
  • When the directory synchronization is run, users are added to FortiNAC administrator groups that match the groups in the directory. Adding administrators to a group triggers an evaluation of administrator profile mappings. If the administrator is in multiple directory groups, the user will be assigned to multiple groups in FortiNAC, and the administrator profile will be assigned according to the administrator profile ranking.
Note

When an administrator group is created in FortiNAC with the same name as a group being synchronized from a directory, the administrator group members will remain the same as the directory group members. Therefore, if you add a non-directory user to the administrator group and then synchronize the directory, the non-directory user is removed from the administrator group because the user is not a member of the directory group.

Modify ranks of administrator profile mappings

  • The order of the administrator profile mapping records is changed modifying the ranking. A scheduled directory synchronization runs. Administrators' groups are updated each time the synchronization is run causing the administrator profile mappings to be analyzed again. Since the ranking has changed, some administrators that are members of more than one group are assigned different administrator profiles based on the new ranking.
  • The order of the administrator profile mapping records is changed modifying the ranking. No directory is being used. Administrators continue to have the same administrator profiles because there is no mechanism to trigger a re-evaluation of group membership.

Administrator deleted from a group manually

  • An existing administrator is deleted from administrator group A that is mapped to administrator profile C. The user is a member of Groups B and C mapped to Profiles D and F. A new profile is assigned based on one of the other groups used in the administrator profile mapping with the highest rank.

    Administrator group B is mapped to administrator profile D. Administrator group C is mapped to administrator profile F. The mapping for Group B has the highest rank, therefore the administrator's profile us updated to administrator profile D.

  • An existing administrator is deleted from Group A that is mapped to an administrator profile C. The user is not a member of any other group mapped to a profile. The user's administrator profile C is completely removed. The user loses his administrator status and becomes only a regular network user under Users > User View. To restore the user to an administrator you must add the administrator again with the same user ID and assign an administrator profile.

Administrator deleted from a group in the directory

  • An existing administrator is deleted from administrator group A in the directory. The directory resynchronizes with FortiNAC which deletes the administrator from Group A that is mapped to administrator profile C. The user is a member of Groups B and C mapped to Profiles D and F. A new profile is assigned based on one of the other groups used in the administrator profile mapping with the highest rank.

    Administrator group B is mapped to administrator profile D. Administrator group C is mapped to administrator profile F. The mapping for Group B has the highest rank, therefore the administrator's profile us updated to administrator profile D.

  • An existing administrator is deleted from administrator group A in the directory. The directory resynchronizes with FortiNAC which deletes the administrator from Group A that is mapped to administrator profile C. The user is not a member of any other group mapped to a profile. The user's administrator profile C is completely removed. The user loses his administrator status and becomes only a regular network user under Users > User View. To restore the user to an administrator you must add the administrator again with the same user ID and assign an administrator profile.

Administrator group is deleted from FortiNAC

  • An existing administrator is in group A that is mapped to administrator profile C. The user is not a member of any other group mapped to a profile. Group A is deleted from the groups view. The user's administrator profile C is completely removed. The user loses his administrator status and becomes only a regular network user under Users > User View. To restore the user to an administrator you must add the administrator again with the same user ID and assign an administrator profile.

Administrator profile mapping is deleted from FortiNAC

  • Administrators are not affected when an administrator profile mapping is deleted from the data base until a user is added to or deleted from a Group. If the group is no longer mapped their profile is not updated. If the group continues to be mapped, their profile is updated as described in the previous scenarios.

When groups are nested within a parent group, administrator profiles must be mapped to the groups that contain the users, and not the parent group only.

Changing the ranking on existing administrator profile mapping records does not change profiles on administrators unless those users are in the directory and the directory is resynchronized.

Adding a new administrator profile mapping does not affect existing administrators until the directory is resynchronized or a user's membership in a mapped group changes.

If you are not using a directory, there is no mechanism for administrators to be reevaluated.