Permissions list
Administrator profiles contain permissions settings. An administrator inherits permissions from the administrator profile applied to his user account. The table below contains a list of the permissions that can be set in an administrator profile and any special information about each setting.
Access levels
Level |
Definition |
---|---|
Access |
If enabled, the user will be able to see data in the views shown in the Permission Set, but not add, modify or delete. There are some exceptions to this that are noted in the table of permissions. In some cases, by enabling Access, other permissions are automatically enabled. For example, if you enable Access for guest/contractor accounts, Add/Modify and Delete are automatically enabled and cannot be disabled. |
Add/Modify |
If enabled, the user can add or modify data in the views shown in the Permission Set. |
Delete |
If enabled, the user can delete data in the views shown in the Permission Set. |
Custom |
If enabled, an additional tab is shown that contains advanced settings for the Permission Set. For example, if Access to guest/contractor accounts is enabled and Custom is enabled, advanced options can be set on the Manage Guests tab. |
Permissions list
Where applicable, this table assumes that Access, Add/Modify, Delete and Custom options are enabled.
Views |
Permissions |
Notes |
---|---|---|
Admin auditing |
||
Admin Auditing |
Provides access to the admin auditing log. |
|
Dashboard |
||
Dashboard |
Provides access to the dashboard tiles. Tiles require additional permissions as follows:
|
Requires that other permissions be selected to display associated tiles. |
Event/alarm |
||
Event to Alarm Mappings |
If enabled, the views shown in the left column can be accessed. |
Reports can be accessed but not all options can be used without access to User/Host/Adapter being enabled. |
Group membership |
||
Group Membership
|
Allows access to Host, User, Device or Port group membership. Requires that one of the following additional permissions be enabled:
|
|
Groups |
||
Groups
|
If enabled, allows access to the Groups View where you can view, add, modify or delete a group. |
|
Guest/Contractor Accounts |
||
Guest/Contractor Accounts
|
If enabled, allows access to the Guest Contractor Accounts View where you can view, add, modify or delete a guest account. |
Has a Custom option that enables the Manage Guests Tab. |
Custom/Manage Guests
|
This tab displays when the Custom permission is enabled. Custom Options include:
Refer to Add a guest manager profile for detailed information. |
|
Locate hosts & users |
||
Locate Hosts & Users |
If enabled, the views shown in the column on the left can be accessed.
|
|
Logs |
||
Alarms Connections Events Scan Results |
If enabled, the views shown in the column on the left can be accessed. Users can view information about events within the system and on the network. |
|
Manage hosts & ports |
||
Manage Hosts & Ports |
If enabled, the views shown in the column on the left can be accessed. Access is limited to users, hosts and adapters in groups for which user has permission. See Limit user access with groups. User can view adapter, host, user, and device identity. User can modify Host information including registering a host. User can modify User properties for network user. User can enable or disable an adapter. User can view Port properties for the ports where an adapter is connected. |
|
Network devices |
||
Network Device CLI Configuration |
If enabled, the views shown in the left column can be accessed. Custom (FortiNAC versions 8.8.9 and above): If selected, the Network Device tab appears. "Can View Credentials" can be enabled/disabled. Disabling this option hides the device model credentials information in Topology. |
To see Profiled Devices that option must be enabled separately. |
Policy |
||
Control Access Network Device Roles Passive Agent Configuration Persistent Agent Properties Policy Configuration Remediation Configuration Roles |
If enabled, the views shown in the left column can be accessed. The Passive Agent registration view requires access to Groups to add or modify Passive Agent Configurations. |
|
Portal configuration |
||
Portal Configuration |
If enabled, allows the user to view and edit settings for portals. Users with the Policies permission set enabled will also have this permission set enabled. Custom options include:
|
|
Profiled devices |
||
Profiled Devices |
If enabled, allows the user to view the list of profiled devices. User can also Export devices, register a device, enable or disable a device, delete the device from the list and view details and notes for a selected device. The Views column on the Profiled Devices View contains icons that provide access to details about the selected device. these icons only display if additional permissions are enabled for the administrator. Possible views include: Adapter Properties, group membership, port properties and Device Properties. Adapter Properties: Requires permission for users, hosts, and adapters. Group Membership: Requires permission for group membership. Port Properties: Requires permission for Devices. Device Properties: Requires permission for users, hosts, and adapters or Devices. |
Has a Custom option that enables the Profile Devices Tab. |
Custom/Profile Devices
|
This tab displays when the Custom permission is enabled. Custom Options include:
Refer to for detailed information. |
|
Reporting |
||
Analytics Reports |
If enabled, the views shown in the left column can be accessed. |
|
Security logs |
||
Security Alarms Security Events |
If enabled, the views shown in the left column can be accessed. User has access to view security alarms created when a security rule is matched. Users can take action on a security alarm if it was not done automatically. The user's administrator profile settings determine the actions they are allowed to complete. |
This permission set is only available when ATR is enabled within your current license package. Has a Custom option that enables the Security Events tab. |
Security rules |
||
Security Actions Security Rules Security Triggers |
If enabled, the views shown in the left column can be accessed. User can create security devices, and security event rules. Users will establish and maintain all rules and the default actions associated with each rule. |
This permission set is only available when ATR is enabled within your current license package.
|
Self registration requests |
||
Self Registration Requests |
If enabled, user can manage requests for network access submitted by Guests from the captive portal. |
|
Send message |
||
Send Message |
User can send messages to hosts with the Persistent Agent or Mobile Agent installed. |
|
System settings |
||
Scheduler Settings |
If enabled, the views shown in the left column can be accessed. |
All settings can be accessed when this permission is enabled. Refer to Settings for a complete list. |
Users/hosts/adapters |
||
Adapters View Device Identity Hosts View Users View |
If enabled, the views shown in the left column can be accessed. |
|