Set privileges based on directory groups
To provide access to the FortiNAC user interface you can place administrators in special groups that set the appropriate privileges. Typically this is done for users in your directory, by placing them in special groups within the directory that correspond to matching groups in FortiNAC. When the directory is synchronized with FortiNAC, users in the appropriate groups will be given administrator privileges based on their group settings and the administrator profile mapping that matches the user's group.
The domain users group cannot be used to set administrator privileges because user details for users in that group are not populated in FortiNAC when a directory synchronization is done.
When an administrator group is created in FortiNAC with the same name as a group being synchronized from a directory, the administrator group members will remain the same as the directory group members. Therefore, if you add a non-directory user to the administrator group and then synchronize the directory, the non-directory user is removed from the administrator group because the user is not a member of the directory group.
Implementation
Directory
- Integrate your directory with FortiNAC. See Directories for configuration and integration information.
- Temporarily disable the directory synchronization task in the FortiNAC scheduler to prevent the synchronization from pulling directory information before the setup is complete. See Scheduler.
- If you want to send e-mail to administrators, make sure to map the e-mail field in your directory to the e-mail field in FortiNAC. To set up this mapping go to System > Settings > Authentication > LDAP. Select the directory and click Modify. Select the Attribute Mappings tab and make sure that the e-mail field is configured. This setting allows users to receive e-mails based on device profiler settings, guest manager settings, and event to alarm mappings based on group membership.
- Create groups in the directory for each set of administrator privileges you wish to grant. For example, if you want to have administrators with full rights to FortiNAC and administrators who are just sponsors for guest access, create two groups in the directory, one for each type of administrator. Add the appropriate administrators to the new groups.
- Make sure the new groups are selected to be included when the directory and FortiNAC are synchronized. To select the groups go to System > Settings > Authentication > LDAP. Select the directory and click Modify. Click the Select groups tab and review the selected groups
FortiNAC
- All administrators require an administrator profile that provides permissions. Create the appropriate administrator profiles first. See Administrator profiles.
- Go to the Groups View and create Administrator groups to contain the users who will be given access to FortiNAC. The group name must be absolutely identical to the name of the group in the directory.
- Since groups automatically brought over from the directory are typically Host groups, you must create the Administrator groups manually. If a group already exists with the name of one of the Administrator groups, you must delete that group and add it again as an Administrator group.
-
Map administrator groups to administrator profiles. These mappings allow FortiNAC to determine the administrator profile that should be associated with an administrator based on the group that contains that user. Mappings are ranked and administrators are associated with the first mapping they match. See Administrator profile mappings.
Example:
- Administrator John is in Group A and Group B.
- Group A is mapped to a guest sponsor profile and Ranked #5.
- Group B is mapped to a Device Manager Profile and Ranked #2.
- FortiNAC associates John with the Device Manager Profile because that mapping has a higher Rank and is the first match for John.
- Go to the Scheduler View in FortiNAC and enable the directory synchronization task. Run the task to update the groups. Users that have already registered in FortiNAC are updated immediately. New users that are not in the FortiNAC database but do exist in the directory are added to FortiNAC groups when they log into the admin UI the first time.
- Go to the groups view and verify that the correct users have been placed in each group. See Groups.
- Go to the administrators view and verify that the administrator profile is correct for each user. See Administrators.
If the root account for FortiNAC is placed in a group with an administrator profile other than the System Administrator profile, the administrator profile of this account will change. This could potentially leave you without a root or admin login that provides access to the entire FortiNAC product. |
Aging for new administrators created by being added to a directory group is determined by Global Aging settings. See Aging and Aging out host or user records. |