Fortinet white logo
Fortinet white logo

Administration Guide

Permissions list

Permissions list

Administrator profiles contain permissions settings. An administrator inherits permissions from the administrator profile applied to his user account. The table below contains a list of the permissions that can be set in an administrator profile and any special information about each setting.

Access levels

Level

Definition

Access

If enabled, the user will be able to see data in the views shown in the Permission Set, but not add, modify or delete. There are some exceptions to this that are noted in the table of permissions.

In some cases, by enabling Access, other permissions are automatically enabled. For example, if you enable Access for guest/contractor accounts, Add/Modify and Delete are automatically enabled and cannot be disabled.

Add/Modify

If enabled, the user can add or modify data in the views shown in the Permission Set.

Delete

If enabled, the user can delete data in the views shown in the Permission Set.

Custom

If enabled, an additional tab is shown that contains advanced settings for the Permission Set. For example, if Access to guest/contractor accounts is enabled and Custom is enabled, advanced options can be set on the Manage Guests tab.

Permissions list

Where applicable, this table assumes that Access, Add/Modify, Delete and Custom options are enabled.

Views

Permissions

Notes

Admin auditing

Admin Auditing

Provides access to the admin auditing log.

Dashboard

Dashboard

Provides access to the dashboard tiles. Tiles require additional permissions as follows:

  • Alarms Panel: Requires access to Event/Alarm, links and buttons are enabled if Add/Modify is enabled.
  • Summary Panel: Requires access to System Settings.
  • Network Device Summary Panel: Requires access to Devices, links are enabled if Add/Modify or Delete are enabled for Devices.
  • Host Summary Panel: Requires access to Users/Hosts/Adapters.
  • Scans Panel—Requires access to Policy.
  • User Summary Panel—Requires access to Users/Hosts/Adapters.
  • License Information Panel—Requires access to System Settings.
  • Persistent Agent Summary Panel—Requires access to Policy.
  • Performance Summary Panel—Requires access to Event/Alarm.

Requires that other permissions be selected to display associated tiles.

Event/alarm

Event to Alarm Mappings

Event Management

If enabled, the views shown in the left column can be accessed.

Reports can be accessed but not all options can be used without access to User/Host/Adapter being enabled.

Group membership

Group Membership


Allows access to Host, User, Device or Port group membership. Requires that one of the following additional permissions be enabled:

  • Devices
  • Locate Hosts & Users
  • Manage Hosts & Ports
  • Users/Hosts/Adapters

Groups

Groups


If enabled, allows access to the Groups View where you can view, add, modify or delete a group.

Guest/Contractor Accounts

Guest/Contractor Accounts


If enabled, allows access to the Guest Contractor Accounts View where you can view, add, modify or delete a guest account.

Has a Custom option that enables the Manage Guests Tab.

Custom/Manage Guests


This tab displays when the Custom permission is enabled. Custom Options include:

  • Guest Account Access: Indicates whether user can access All, Own or No guest accounts after they have been created.
  • Account Types: Allows user to create Individual, Bulk and or Contractor accounts
  • Create Accounts Days in Advance (Maximum): Number of days before guest registers that the account can be created.
  • Create Accounts Active For Days (Maximum): Maximum number of days that accounts created by this user are allowed to be active.
  • Allowed Templates: Templates that can be used to create guest accounts

Refer to Add a guest manager profile for detailed information.

Locate hosts & users

Locate Hosts & Users

If enabled, the views shown in the column on the left can be accessed.

  • User can view adapter, host, user, and device identity.
  • User can view group membership for Hosts and Users.
  • User can modify Host information including registering a host.
  • User can modify User properties for network users and administrators.
  • User can delete Host and Adapter records.

Logs

Alarms

Connections

Events

Scan Results

If enabled, the views shown in the column on the left can be accessed.

Users can view information about events within the system and on the network.

Manage hosts & ports

Manage Hosts & Ports

If enabled, the views shown in the column on the left can be accessed. Access is limited to users, hosts and adapters in groups for which user has permission. See Limit user access with groups.

User can view adapter, host, user, and device identity.

User can modify Host information including registering a host.

User can modify User properties for network user.

User can enable or disable an adapter.

User can view Port properties for the ports where an adapter is connected.

Network devices

Network Device
Summary Dashboard Tile

CLI Configuration
Device Profiling Rules
L2 Polling
L3 Poling
Locate
Port Changes
Topology

If enabled, the views shown in the left column can be accessed.

Custom (FortiNAC versions 8.8.9 and above): If selected, the Network Device tab appears. "Can View Credentials" can be enabled/disabled. Disabling this option hides the device model credentials information in Topology.

To see Profiled Devices that option must be enabled separately.

Policy

Control Access

Network Device Roles

Passive Agent Configuration

Persistent Agent Properties

Policy Configuration

Remediation Configuration

Roles

If enabled, the views shown in the left column can be accessed.

The Passive Agent registration view requires access to Groups to add or modify Passive Agent Configurations.

Portal configuration

Portal Configuration

If enabled, allows the user to view and edit settings for portals. Users with the Policies permission set enabled will also have this permission set enabled.

Custom options include:

  • Access: Allows the user to view the portal settings.
  • Add/Modify: Allows the user to view the settings, add new portal settings, and delete existing portal configurations. Requires that Access permissions be enabled. Permissions can be further modified to prevent the user from adding new portal configurations or modifying the default portal configuration.
  • Delete: Allows the user to view portal settings, add new ones, and modify and delete existing portal configurations. Requires that Add/Modify permissions be enabled.

Profiled devices

Profiled Devices

If enabled, allows the user to view the list of profiled devices. User can also Export devices, register a device, enable or disable a device, delete the device from the list and view details and notes for a selected device.

The Views column on the Profiled Devices View contains icons that provide access to details about the selected device. these icons only display if additional permissions are enabled for the administrator. Possible views include: Adapter Properties, group membership, port properties and Device Properties.

Adapter Properties: Requires permission for users, hosts, and adapters.

Group Membership: Requires permission for group membership.

Port Properties: Requires permission for Devices.

Device Properties: Requires permission for users, hosts, and adapters or Devices.

Has a Custom option that enables the Profile Devices Tab.

Custom/Profile Devices


This tab displays when the Custom permission is enabled. Custom Options include:

  • Register, Delete, and Disable Profiled Devices: If enabled, the user can register, delete and disable devices that have been profiled by device profiler.
  • Modify Device Rule Confirmation Settings: If enabled, the user can change rule confirmation settings on devices that have been profiled by device profiler. Rule confirmation settings control whether or not device profiler checks a previously profiled device to determine if it still meets the criteria of the rule that categorized the device.
  • Manage Profiled Devices Using These Rules:

    • All Rules: includes current rules and any rules created in the future.
    • Specify Rules: you must choose the rules from the Available Rules field and manually move them to the Specify Rules field.
  • Available Rules: Shows the existing rules you can select for this profile. Select the rule and click the right arrow to move it to the Selected Rules pane.
  • Selected Rules: Shows the rules you selected from the Available Rules section. The user can only access the devices associated with the rules in this list.

Refer to for detailed information.

Reporting

Analytics

Reports

If enabled, the views shown in the left column can be accessed.

Security logs

Security Alarms

Security Events

If enabled, the views shown in the left column can be accessed.

User has access to view security alarms created when a security rule is matched. Users can take action on a security alarm if it was not done automatically. The user's administrator profile settings determine the actions they are allowed to complete.

This permission set is only available when ATR is enabled within your current license package.

Has a Custom option that enables the Security Events tab.

Security rules

Security Actions

Security Rules

Security Triggers

If enabled, the views shown in the left column can be accessed.

User can create security devices, and security event rules. Users will establish and maintain all rules and the default actions associated with each rule.

This permission set is only available when ATR is enabled within your current license package.

Self registration requests

Self Registration Requests

If enabled, user can manage requests for network access submitted by Guests from the captive portal.

Send message

Send Message

User can send messages to hosts with the Persistent Agent or Mobile Agent installed.

System settings

Scheduler

Settings

If enabled, the views shown in the left column can be accessed.

All settings can be accessed when this permission is enabled. Refer to Settings for a complete list.

Users/hosts/adapters

Adapters View

Device Identity

Hosts View

Users View

If enabled, the views shown in the left column can be accessed.

Permissions list

Permissions list

Administrator profiles contain permissions settings. An administrator inherits permissions from the administrator profile applied to his user account. The table below contains a list of the permissions that can be set in an administrator profile and any special information about each setting.

Access levels

Level

Definition

Access

If enabled, the user will be able to see data in the views shown in the Permission Set, but not add, modify or delete. There are some exceptions to this that are noted in the table of permissions.

In some cases, by enabling Access, other permissions are automatically enabled. For example, if you enable Access for guest/contractor accounts, Add/Modify and Delete are automatically enabled and cannot be disabled.

Add/Modify

If enabled, the user can add or modify data in the views shown in the Permission Set.

Delete

If enabled, the user can delete data in the views shown in the Permission Set.

Custom

If enabled, an additional tab is shown that contains advanced settings for the Permission Set. For example, if Access to guest/contractor accounts is enabled and Custom is enabled, advanced options can be set on the Manage Guests tab.

Permissions list

Where applicable, this table assumes that Access, Add/Modify, Delete and Custom options are enabled.

Views

Permissions

Notes

Admin auditing

Admin Auditing

Provides access to the admin auditing log.

Dashboard

Dashboard

Provides access to the dashboard tiles. Tiles require additional permissions as follows:

  • Alarms Panel: Requires access to Event/Alarm, links and buttons are enabled if Add/Modify is enabled.
  • Summary Panel: Requires access to System Settings.
  • Network Device Summary Panel: Requires access to Devices, links are enabled if Add/Modify or Delete are enabled for Devices.
  • Host Summary Panel: Requires access to Users/Hosts/Adapters.
  • Scans Panel—Requires access to Policy.
  • User Summary Panel—Requires access to Users/Hosts/Adapters.
  • License Information Panel—Requires access to System Settings.
  • Persistent Agent Summary Panel—Requires access to Policy.
  • Performance Summary Panel—Requires access to Event/Alarm.

Requires that other permissions be selected to display associated tiles.

Event/alarm

Event to Alarm Mappings

Event Management

If enabled, the views shown in the left column can be accessed.

Reports can be accessed but not all options can be used without access to User/Host/Adapter being enabled.

Group membership

Group Membership


Allows access to Host, User, Device or Port group membership. Requires that one of the following additional permissions be enabled:

  • Devices
  • Locate Hosts & Users
  • Manage Hosts & Ports
  • Users/Hosts/Adapters

Groups

Groups


If enabled, allows access to the Groups View where you can view, add, modify or delete a group.

Guest/Contractor Accounts

Guest/Contractor Accounts


If enabled, allows access to the Guest Contractor Accounts View where you can view, add, modify or delete a guest account.

Has a Custom option that enables the Manage Guests Tab.

Custom/Manage Guests


This tab displays when the Custom permission is enabled. Custom Options include:

  • Guest Account Access: Indicates whether user can access All, Own or No guest accounts after they have been created.
  • Account Types: Allows user to create Individual, Bulk and or Contractor accounts
  • Create Accounts Days in Advance (Maximum): Number of days before guest registers that the account can be created.
  • Create Accounts Active For Days (Maximum): Maximum number of days that accounts created by this user are allowed to be active.
  • Allowed Templates: Templates that can be used to create guest accounts

Refer to Add a guest manager profile for detailed information.

Locate hosts & users

Locate Hosts & Users

If enabled, the views shown in the column on the left can be accessed.

  • User can view adapter, host, user, and device identity.
  • User can view group membership for Hosts and Users.
  • User can modify Host information including registering a host.
  • User can modify User properties for network users and administrators.
  • User can delete Host and Adapter records.

Logs

Alarms

Connections

Events

Scan Results

If enabled, the views shown in the column on the left can be accessed.

Users can view information about events within the system and on the network.

Manage hosts & ports

Manage Hosts & Ports

If enabled, the views shown in the column on the left can be accessed. Access is limited to users, hosts and adapters in groups for which user has permission. See Limit user access with groups.

User can view adapter, host, user, and device identity.

User can modify Host information including registering a host.

User can modify User properties for network user.

User can enable or disable an adapter.

User can view Port properties for the ports where an adapter is connected.

Network devices

Network Device
Summary Dashboard Tile

CLI Configuration
Device Profiling Rules
L2 Polling
L3 Poling
Locate
Port Changes
Topology

If enabled, the views shown in the left column can be accessed.

Custom (FortiNAC versions 8.8.9 and above): If selected, the Network Device tab appears. "Can View Credentials" can be enabled/disabled. Disabling this option hides the device model credentials information in Topology.

To see Profiled Devices that option must be enabled separately.

Policy

Control Access

Network Device Roles

Passive Agent Configuration

Persistent Agent Properties

Policy Configuration

Remediation Configuration

Roles

If enabled, the views shown in the left column can be accessed.

The Passive Agent registration view requires access to Groups to add or modify Passive Agent Configurations.

Portal configuration

Portal Configuration

If enabled, allows the user to view and edit settings for portals. Users with the Policies permission set enabled will also have this permission set enabled.

Custom options include:

  • Access: Allows the user to view the portal settings.
  • Add/Modify: Allows the user to view the settings, add new portal settings, and delete existing portal configurations. Requires that Access permissions be enabled. Permissions can be further modified to prevent the user from adding new portal configurations or modifying the default portal configuration.
  • Delete: Allows the user to view portal settings, add new ones, and modify and delete existing portal configurations. Requires that Add/Modify permissions be enabled.

Profiled devices

Profiled Devices

If enabled, allows the user to view the list of profiled devices. User can also Export devices, register a device, enable or disable a device, delete the device from the list and view details and notes for a selected device.

The Views column on the Profiled Devices View contains icons that provide access to details about the selected device. these icons only display if additional permissions are enabled for the administrator. Possible views include: Adapter Properties, group membership, port properties and Device Properties.

Adapter Properties: Requires permission for users, hosts, and adapters.

Group Membership: Requires permission for group membership.

Port Properties: Requires permission for Devices.

Device Properties: Requires permission for users, hosts, and adapters or Devices.

Has a Custom option that enables the Profile Devices Tab.

Custom/Profile Devices


This tab displays when the Custom permission is enabled. Custom Options include:

  • Register, Delete, and Disable Profiled Devices: If enabled, the user can register, delete and disable devices that have been profiled by device profiler.
  • Modify Device Rule Confirmation Settings: If enabled, the user can change rule confirmation settings on devices that have been profiled by device profiler. Rule confirmation settings control whether or not device profiler checks a previously profiled device to determine if it still meets the criteria of the rule that categorized the device.
  • Manage Profiled Devices Using These Rules:

    • All Rules: includes current rules and any rules created in the future.
    • Specify Rules: you must choose the rules from the Available Rules field and manually move them to the Specify Rules field.
  • Available Rules: Shows the existing rules you can select for this profile. Select the rule and click the right arrow to move it to the Selected Rules pane.
  • Selected Rules: Shows the rules you selected from the Available Rules section. The user can only access the devices associated with the rules in this list.

Refer to for detailed information.

Reporting

Analytics

Reports

If enabled, the views shown in the left column can be accessed.

Security logs

Security Alarms

Security Events

If enabled, the views shown in the left column can be accessed.

User has access to view security alarms created when a security rule is matched. Users can take action on a security alarm if it was not done automatically. The user's administrator profile settings determine the actions they are allowed to complete.

This permission set is only available when ATR is enabled within your current license package.

Has a Custom option that enables the Security Events tab.

Security rules

Security Actions

Security Rules

Security Triggers

If enabled, the views shown in the left column can be accessed.

User can create security devices, and security event rules. Users will establish and maintain all rules and the default actions associated with each rule.

This permission set is only available when ATR is enabled within your current license package.

Self registration requests

Self Registration Requests

If enabled, user can manage requests for network access submitted by Guests from the captive portal.

Send message

Send Message

User can send messages to hosts with the Persistent Agent or Mobile Agent installed.

System settings

Scheduler

Settings

If enabled, the views shown in the left column can be accessed.

All settings can be accessed when this permission is enabled. Refer to Settings for a complete list.

Users/hosts/adapters

Adapters View

Device Identity

Hosts View

Users View

If enabled, the views shown in the left column can be accessed.