Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiPAM 1.4.1 Administration Guide
    1.4.1
    1.4.1
    1.4.0
    1.3.0
    1.2.0
    1.1.2
    1.1.1
    1.1.0
    1.0.3
    1.0.2
    1.0.1
    1.0.0

    User groups

    User groups

    User Groups in User Management displays a list of user groups.

    The following two default user groups are available:

    • everyone: By default, every user belongs to this user group.

    • fortipam _auth_group: By default, the Super Administrator admin user belongs to this user group. Users can be added or removed from this user group.

    The following columns are available in the User Groups window:

    • Name

    • User Members

    • Remote Groups

    • Remote Members

    • Creation Time: Displays the date and time when a user group was created.

    Users can be assigned to groups during user account configuration, or by creating or editing the groups to add users to it.

    The User Groups tab contains the following options:

    Create

    Select to create a new user group.

    Edit

    Select to edit the selected user group.

    Delete

    Select to delete the selected user groups.

    Search

    Enter a search term in the search field, then hit Enter to search the user groups list. To narrow down your search, see Column filter.
    To create a new user group:
    1. Go to User Management > User Groups.
    2. Select Create to create a new user group.

      The General tab in the Create New User Group window opens.

    3. To switch to the Permission tab, select the tab.

    4. In the General tab, enter the following information:

      Name

      Name of the group.

      Type

      Select the type of the group:

      • Remote

      • Local User

      Members

      Select + to add existing members to the user group from the list and select Close, or in the Select Entries window, select + to create a new user.

      See Creating a user.

      Use the search bar to look for a user.

      Remote Groups

      By adding a remote server to the user group, the group will contain all user accounts on that server.

      Optionally, a specific user group on the remote server can be included to restrict the scope to that group.

      See Creating Remote Groups.

      Note: This pane is available only when the Type is Remote.

      Select remote groups from the list and select Delete to delete the remote groups.

      Select a remote group from the list and select Edit to edit the remote group.

    5. Switch to the Permission tab and enter the following information:

      Access

      Select from the following two options:

      • Everyone: All the members of the user group have complete access to the user group.

      • Customized: Customize the level of access for members in the user group.

      User Permission

      The level of user access to the user group. See User Permission.

      Note: The option is only available when Access is set to Customized.

    6. Click OK.
    To create a new remote group:
    1. In the Create New User Group window, select Create in Remote Groups.

      The Remote Groups pane is only available when the Type is Remote.

      The Add Group Match window opens.

    2. In Remote Server dropdown, select LDAP, RADIUS, and SAML servers:
      1. If an LDAP server is selected, from the remote users list, select the remote users to import.

        At least one LDAP server must be already configured. See LDAP servers.

        Hold ctrl and click to select multiple users.

        To narrow down your search, see Column filter.

        You can filter your search by Group, or enter a custom filter and select Apply.

        Enable Show entries in subtree to list remote users in the subtree.

        LDAP filters consist of one or more clauses which can be combined with logical AND/OR operators.

        Filter syntax differs depending on the LDAP server software.

        See the following examples examples:

        • Users with given name starting with the letter "h":

          (&(objectClass=person)(givenName=h*))

        • All groups:

          (&(objectClass=posixGroup)(cn=*))

      2. Optionally, if a RADIUS server is selected, select +, and enter group names in Groups.

        At least one RADIUS server must be already configured. See RADIUS servers.

      3. Optionally, if a SAML server is selected, select +, and enter group names in Groups.

        At least one SAML server must be already configured.

    3. Click OK to save changes to group match.

    Alternatively, use the CLI commands to create a user group.
    User Permission
    To set up user permission:
    1. In step 5 when Creating a user group, provided that Access is set to Customized, select Create in User Permission.

      The New User Permission window opens.

    2. Enter the following information:

      Users

      Select + and from the list, select users in the Select Entries window.

      To add a new user:
      1. From the Select Entries window, select + and then select +UserList.

        The New User List wizard open.

      2. Follow the steps in Creating a user, starting step 2 to create a new user.

      Use the search bar to look up a user.

      Use the pen icon next to a user to edit it.

      Permission

      From the dropdown, select an option:

      • Viewer: Ability to view the user group.

      • Owner: The highest possible permission level with the ability to create, edit, and delete user groups.

    3. Click OK.
    CLI configuration to set up an LDAP user group example:
     config user group
  edit <ldap_group_name>
   set member <ldap_server_name>
   config match		
    edit 1
     set server-name <ldap_server_name>
     set group-name "cn=User,dc=XYA, dc=COM"			 
    next
   end
  next
 end
    CLI configuration to set up a RADIUS user group example:
     config user group
  edit <radius_group_name>
   set member <radius_server_name>
  next
 end
    Previous
    Next

    User groups

    User groups

    User Groups in User Management displays a list of user groups.

    The following two default user groups are available:

    • everyone: By default, every user belongs to this user group.

    • fortipam _auth_group: By default, the Super Administrator admin user belongs to this user group. Users can be added or removed from this user group.

    The following columns are available in the User Groups window:

    • Name

    • User Members

    • Remote Groups

    • Remote Members

    • Creation Time: Displays the date and time when a user group was created.

    Users can be assigned to groups during user account configuration, or by creating or editing the groups to add users to it.

    The User Groups tab contains the following options:

    Create

    Select to create a new user group.

    Edit

    Select to edit the selected user group.

    Delete

    Select to delete the selected user groups.

    Search

    Enter a search term in the search field, then hit Enter to search the user groups list. To narrow down your search, see Column filter.
    To create a new user group:
    1. Go to User Management > User Groups.
    2. Select Create to create a new user group.

      The General tab in the Create New User Group window opens.

    3. To switch to the Permission tab, select the tab.

    4. In the General tab, enter the following information:

      Name

      Name of the group.

      Type

      Select the type of the group:

      • Remote

      • Local User

      Members

      Select + to add existing members to the user group from the list and select Close, or in the Select Entries window, select + to create a new user.

      See Creating a user.

      Use the search bar to look for a user.

      Remote Groups

      By adding a remote server to the user group, the group will contain all user accounts on that server.

      Optionally, a specific user group on the remote server can be included to restrict the scope to that group.

      See Creating Remote Groups.

      Note: This pane is available only when the Type is Remote.

      Select remote groups from the list and select Delete to delete the remote groups.

      Select a remote group from the list and select Edit to edit the remote group.

    5. Switch to the Permission tab and enter the following information:

      Access

      Select from the following two options:

      • Everyone: All the members of the user group have complete access to the user group.

      • Customized: Customize the level of access for members in the user group.

      User Permission

      The level of user access to the user group. See User Permission.

      Note: The option is only available when Access is set to Customized.

    6. Click OK.
    To create a new remote group:
    1. In the Create New User Group window, select Create in Remote Groups.

      The Remote Groups pane is only available when the Type is Remote.

      The Add Group Match window opens.

    2. In Remote Server dropdown, select LDAP, RADIUS, and SAML servers:
      1. If an LDAP server is selected, from the remote users list, select the remote users to import.

        At least one LDAP server must be already configured. See LDAP servers.

        Hold ctrl and click to select multiple users.

        To narrow down your search, see Column filter.

        You can filter your search by Group, or enter a custom filter and select Apply.

        Enable Show entries in subtree to list remote users in the subtree.

        LDAP filters consist of one or more clauses which can be combined with logical AND/OR operators.

        Filter syntax differs depending on the LDAP server software.

        See the following examples examples:

        • Users with given name starting with the letter "h":

          (&(objectClass=person)(givenName=h*))

        • All groups:

          (&(objectClass=posixGroup)(cn=*))

      2. Optionally, if a RADIUS server is selected, select +, and enter group names in Groups.

        At least one RADIUS server must be already configured. See RADIUS servers.

      3. Optionally, if a SAML server is selected, select +, and enter group names in Groups.

        At least one SAML server must be already configured.

    3. Click OK to save changes to group match.

    Alternatively, use the CLI commands to create a user group.
    User Permission
    To set up user permission:
    1. In step 5 when Creating a user group, provided that Access is set to Customized, select Create in User Permission.

      The New User Permission window opens.

    2. Enter the following information:

      Users

      Select + and from the list, select users in the Select Entries window.

      To add a new user:
      1. From the Select Entries window, select + and then select +UserList.

        The New User List wizard open.

      2. Follow the steps in Creating a user, starting step 2 to create a new user.

      Use the search bar to look up a user.

      Use the pen icon next to a user to edit it.

      Permission

      From the dropdown, select an option:

      • Viewer: Ability to view the user group.

      • Owner: The highest possible permission level with the ability to create, edit, and delete user groups.

    3. Click OK.
    CLI configuration to set up an LDAP user group example:
     config user group
  edit <ldap_group_name>
   set member <ldap_server_name>
   config match		
    edit 1
     set server-name <ldap_server_name>
     set group-name "cn=User,dc=XYA, dc=COM"			 
    next
   end
  next
 end
    CLI configuration to set up a RADIUS user group example:
     config user group
  edit <radius_group_name>
   set member <radius_server_name>
  next
 end
    Previous
    Next