Enter a name that describes the profile, such as librarian or IT staff.

Indicates when users with this profile can log in to FortiNAC. Options include: Always or Specify Time. If you choose Specify Time, user access to FortiNAC is limited to certain times of day and days of the week.

User is logged out after this amount of time has elapsed without any activity in the user interface.

User is locked out after this amount of allowed failed attempts.

User is locked out for this amount of time before another login attempt is allowed.

Restricts an administrator to a specific set of hosts or ports. The set is defined by host and port groups that are assigned to be managed by a specific group of administrators.

Any administrator that has a profile with this option enabled can only view and or modify a subset of the data in FortiNAC. Typically, this type of user would only have the Manage Hosts & Ports permission set on the Permissions tab, therefore, this setting is not used frequently. Default = All.

• All: All groups containing hosts and ports can be accessed.
• Restrict By Groups: Enables the restriction of administrators to specific hosts and ports.

For an overview and additional setup information, see Limit access with groups.

User specified note field. This field may contain notes regarding the data conversion from a previous version of FortiNAC for an existing administrator profile record.

If you enable this mode, the ONLY thing that the administrator can access is the self-service Kiosk. Everything else in FortiNAC is disabled.

The administrator can log into FortiNAC to provide visitors self-serve account creation through a kiosk. For added security, use a kiosk browser.

Field displays only if Enable Guest Kiosk is selected.

Select a kiosk template for this administrator profile. All visitors who use the self-service kiosk when this administrator is logged in are assigned this guest template.

Indicates the first view displayed when an administrator with this profile logs into FortiNAC. There are no options displayed in this field until permissions are selected.

Click the arrow next to a permission set to see the Views that can be accessed when this permission set is enabled. For example, if Devices is selected, this profile provides access to the following: CLI configuration, device profiling rules, L2 Polling, L3 Polling, Locate, Port Changes, and Topology

Indicates that the user will have view access to the permission set in the left column. Depending on the permission set, enabling Access automatically enables Add/Modify and/or Delete.

Indicates that the user will be able to add or modify records in the permission set in the left column.

Indicates that the user will be able to delete records in the permission set in the left column.

When Custom is enabled for a permission set an addition tab is displayed. For example, if Custom is enabled for Guest Contractor Accounts, a Manage Guests tab is displayed allowing you to configure additional controls for guest account creation.

See Add a guest manager profile for information on the Manage Guest tab.

See Profiles for device managers for information on the Profile Devices tab.

You can give administrators with this profile privileges that allow them to manage all guest contractor accounts, regardless of who created them, only their own accounts, or no accounts.

The privileges include whether the sponsors can add or modify accounts, locate guests or contractors, and view reports.

No: Users can only see guest accounts they create and send credentials to those guests. Users cannot modify or delete any guest accounts.

Own Accounts: Users can see guest accounts they create, send credentials to those guests, and modify or delete their own guest accounts.

All Accounts: User can see all guest accounts in the database, send credentials to guests and modify or delete any guest accounts.

Individual: Sponsor can create single guest accounts. Within the constraints of the template, the sponsor may specify account start and end date. Each account has a unique name and password associated with it.

Bulk: Sponsors may create multiple accounts with unique passwords by importing a bulk account file.

Conference: Sponsors may create any number of conference accounts, or the number may be limited by a template. Conference accounts may be named identically but have a unique password for each attendee, have the same name and password, or have unique names and passwords.

The maximum number of days in advance this sponsor is allowed to create accounts.

Determines the length of time the guest account remains active in the database.

Indicates whether the administrator can use all guest templates or only those in the Specify Templates > Selected Templates field. Default = All.

Options include:

• All Templates: Profile gives the administrator access to all templates in the database when creating guest accounts.
• Specify Templates: Profile gives the administrator access to the templates listed in Selected Templates.

Allows you to select guest/contractor templates available for administrators with this administrator profile. Use the arrows to place the templates needed in the Selected Templates column and the unwanted templates in the Available Templates column.

If All Templates is selected in the Allowed Templates field, all templates are moved to the Selected Templates column and the arrows are hidden.

Shows the templates that have not been selected to be included in this administrator profile.

Shows the templates selected to be included in this administrator profile.

Create a new guest/contractor template.

If enabled, the user can register, delete and disable devices that have been profiled by device profiler.

If enabled, the user can change rule confirmation settings on devices that have been profiled by device profiler. Rule confirmation settings control whether or not device profiler checks a previously profiled device to determine if it still meets the criteria of the rule that categorized the device.

All Rules: includes current rules and any rules created in the future.

Specify Rules: you must choose the rules from the Available Rules field and manually move them to the Specify Rules field.

Shows the existing rules you can select for this profile. Select the rule and click the right arrow to move it to the Selected Rules pane.

Shows the rules you selected from the Available Rules section. The user can only access the devices associated with the rules in this list.

Create a new Device Profiling Rule.

For information on rules, see Adding a rule.

If enabled, the user can override the associated action when taking action on the alarm.

All Actions: includes current actions and any actions created in the future.

Specify Actions: you must choose the rules from the Available Actions field and manually move them to the Selected field.

Shows the existing actions you can select for this profile. Select the action and click the right arrow to move it to the Selected Actions pane.