Fortinet black logo

Administration Guide

Creating and Modifying Administrator Accounts

Copy Link
Copy Doc ID f41cea3c-ee48-11eb-97f7-00505692583a:451779

Creating and Modifying Administrator Accounts

FortiRecorder allows different users to have different access privileges. In its factory default configuration, FortiRecorder has one administrator account named admin. This administrator has permissions that grant full access to FortiRecorder’s settings and features.

Configuring an administrator account

Administrator accounts are accounts created for specific users that allow for the customizing of various privileges on the FortiRecorder.

To configure an account

  1. Go to System > Administrator > Administrator.
  2. Select New.
  3. Expand the preference tab and configure the following settings:
  4. Setting Name

    Description

    Username

    Type the name of the account, such as IT, that can be referenced in other parts of the configuration.

    Do not use spaces or special characters. The maximum length is 35 characters.

    Note: This is the entire user name that the person must provide when logging in to the CLI or web UI. Depending on Authentication, your external authentication server may require that you enter both the user name and the domain part, such as guard@example.com.

    Trusted hosts

    Type the IP address and netmask from which the account is allowed to log in to the FortiRecorder appliance. You can specify up to 10 trusted network areas. Each area can be a single computer, a whole subnet, or a mixture.

    To allow login attempts from any IP address, enter 0.0.0.0/0.

    To allow logins only from a single computer, enter its IP address and a 32-bit netmask, such as:

    172.168.1.50/32

    Caution: If you configure trusted hosts, do so for all accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one account unrestricted (i.e. 0.0.0.0/0), the FortiRecorder appliance must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

    Tip: If you allow login from the Internet, set a longer and more complex Password, and enable only secure administrative access protocols (HTTPS and SSH) to minimize the security risk. For information on administrative access protocols, see “FortiRecorder configuration”.

    Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

    Admin profile

    Select an Admin profile that matches the access you want the administrator to posses. Create a new profile by selecting the New button or select a preexisting profile from the drop-down menu. For more information, see Configuring admin profiles.

    Authentication

    Select an authentication:

    Local — Authenticate using an account whose name, password, and other settings are stored locally, in the FortiRecorder’s configuration.

    RADIUS — Authenticate by querying the remote RADIUS server that stores the account’s name and password. Also configure RADIUS profile and Check permission attribute on RADIUS server.

    RADIUS+Local — Authenticate either by querying the remote RADIUS server that stores the account’s name and password, or by querying the accounts stored locally, in the FortiRecorder appliance’s configuration. Also configure RADIUS profile and Check permission attribute on RADIUS server.

    LDAP — Authenticate by querying a remote LDAP server that stores the account’s name and password.

    Password and Confirm password

    Enter a password for the account.

    This field is available only when Authentication is Local or RADIUS + Local.

    Display name

    Enter a name for the recipient, such as FortiRecorder admin.

    Email address

    Enter the person’s email address or an email alias, such as all-admins@example.com, that will receive snapshot notifications, if any, sent by FortiRecorder.

    Theme

    Select this administrator account’s preference for the initial web UI color scheme or click Use Current to choose the theme currently in effect for your own web UI session.

    The administrator may switch the theme at any time after he or she logs in by clicking Next Theme in the top right corner.

    Notification

    Select either Email or SMS to send notification messages to this user.

    For SMS notification method, specify the SMS service provider and SMS recipient information.

    SMS Provider and SMS Number

    Enter the user's text messaging service provider and number to have FortiRecorder directly message the user.

    Assistant User and Password

    If this user has Amazon Alexa and/or IFTTT accounts, specify the account name and password so the user can use Alexa and/or Applets.

Configuring admin profiles

Admin profiles control which FortiRecorder functions users are allowed to access. You can create multiple profiles with multiple access controls. For example, you may want to create a profile for administrators that has access to all functions, while also having a profile for a camera monitor that only has access to specific set of functions in FortiRecorder.

To configure an admin profile

  1. Go to System > Administrator > Admin Profile.
  2. Select New.
  3. Enter a profile name.
  4. Specify the access privileges. Profiles can have read-only, read-write, or no access rights to the following access categories:

    Access Control

    Description

    System access

    Controls settings critical to network accessibility of FortiRecorder

    • System Status page
    • GUI console
    • Network
    • Administrator
    • Authentication and certificates

    System status

    Controls other system settings, such as

    • Time
    • Remote storage
    • Log settings
    • Alert email

    System configuration

    Controls whether a whether user is able to access various system configurations.

    System maintenance

    Controls system maintenance, such as being able to backup system configurations.

    Camera configuration

    Controls camera installation and configuration.

    Read: Provides access to viewing configuration.

    Write: Enables modifying camera configuration.

    Camera status

    Controls camera status.

    Read: Provides access to viewing camera statistics and status.

    Write: Enables modifying camera statistics configuration.

    Camera liveview

    Controls whether a user can monitor the liveview of selected cameras.

    Read: Provides access to the camera's live view streaming.

    Write: Enables annotation.

    Video playback

    Controls whether a user can monitor the recorded video of selected cameras.

    Read: Provides a viewable timeline and playback of existing recordings.

    Write: Enables the ability to download an existing recording.

    Camera analytic

    Controls the camera analytic

    Read: Provides the user viewable results from motion and heat map analysis.

    Write: Enables the creation of motion and heatmap analysis.

    Camera notification

    Controls whether a user has access to various camera notification events, such as facial detection or motion detection.

    Read: Provides viewable notifications.

    Write: Enables the configuration of notifications.

    Camera services

    Controls camera services

    Read: Provides viewable configuration settings.

    Write: Enables modifying configuration.

  5. Select Create.

Configuring access control

Access control determines which camera groups users are allowed to access and when users are allowed to access the cameras.

To configure access control

  1. Go to System > Administrator > Access Control.
  2. Select New.
  3. Enter a name.
  4. Specify a camera group the user is allowed to access.
  5. Add an access schedule by selecting New.
  6. Select the name of the schedule and whether to deny or allow access from the Access type drop-down menu.
  7. Select Create.

Creating and Modifying Administrator Accounts

FortiRecorder allows different users to have different access privileges. In its factory default configuration, FortiRecorder has one administrator account named admin. This administrator has permissions that grant full access to FortiRecorder’s settings and features.

Configuring an administrator account

Administrator accounts are accounts created for specific users that allow for the customizing of various privileges on the FortiRecorder.

To configure an account

  1. Go to System > Administrator > Administrator.
  2. Select New.
  3. Expand the preference tab and configure the following settings:
  4. Setting Name

    Description

    Username

    Type the name of the account, such as IT, that can be referenced in other parts of the configuration.

    Do not use spaces or special characters. The maximum length is 35 characters.

    Note: This is the entire user name that the person must provide when logging in to the CLI or web UI. Depending on Authentication, your external authentication server may require that you enter both the user name and the domain part, such as guard@example.com.

    Trusted hosts

    Type the IP address and netmask from which the account is allowed to log in to the FortiRecorder appliance. You can specify up to 10 trusted network areas. Each area can be a single computer, a whole subnet, or a mixture.

    To allow login attempts from any IP address, enter 0.0.0.0/0.

    To allow logins only from a single computer, enter its IP address and a 32-bit netmask, such as:

    172.168.1.50/32

    Caution: If you configure trusted hosts, do so for all accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one account unrestricted (i.e. 0.0.0.0/0), the FortiRecorder appliance must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

    Tip: If you allow login from the Internet, set a longer and more complex Password, and enable only secure administrative access protocols (HTTPS and SSH) to minimize the security risk. For information on administrative access protocols, see “FortiRecorder configuration”.

    Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

    Admin profile

    Select an Admin profile that matches the access you want the administrator to posses. Create a new profile by selecting the New button or select a preexisting profile from the drop-down menu. For more information, see Configuring admin profiles.

    Authentication

    Select an authentication:

    Local — Authenticate using an account whose name, password, and other settings are stored locally, in the FortiRecorder’s configuration.

    RADIUS — Authenticate by querying the remote RADIUS server that stores the account’s name and password. Also configure RADIUS profile and Check permission attribute on RADIUS server.

    RADIUS+Local — Authenticate either by querying the remote RADIUS server that stores the account’s name and password, or by querying the accounts stored locally, in the FortiRecorder appliance’s configuration. Also configure RADIUS profile and Check permission attribute on RADIUS server.

    LDAP — Authenticate by querying a remote LDAP server that stores the account’s name and password.

    Password and Confirm password

    Enter a password for the account.

    This field is available only when Authentication is Local or RADIUS + Local.

    Display name

    Enter a name for the recipient, such as FortiRecorder admin.

    Email address

    Enter the person’s email address or an email alias, such as all-admins@example.com, that will receive snapshot notifications, if any, sent by FortiRecorder.

    Theme

    Select this administrator account’s preference for the initial web UI color scheme or click Use Current to choose the theme currently in effect for your own web UI session.

    The administrator may switch the theme at any time after he or she logs in by clicking Next Theme in the top right corner.

    Notification

    Select either Email or SMS to send notification messages to this user.

    For SMS notification method, specify the SMS service provider and SMS recipient information.

    SMS Provider and SMS Number

    Enter the user's text messaging service provider and number to have FortiRecorder directly message the user.

    Assistant User and Password

    If this user has Amazon Alexa and/or IFTTT accounts, specify the account name and password so the user can use Alexa and/or Applets.

Configuring admin profiles

Admin profiles control which FortiRecorder functions users are allowed to access. You can create multiple profiles with multiple access controls. For example, you may want to create a profile for administrators that has access to all functions, while also having a profile for a camera monitor that only has access to specific set of functions in FortiRecorder.

To configure an admin profile

  1. Go to System > Administrator > Admin Profile.
  2. Select New.
  3. Enter a profile name.
  4. Specify the access privileges. Profiles can have read-only, read-write, or no access rights to the following access categories:

    Access Control

    Description

    System access

    Controls settings critical to network accessibility of FortiRecorder

    • System Status page
    • GUI console
    • Network
    • Administrator
    • Authentication and certificates

    System status

    Controls other system settings, such as

    • Time
    • Remote storage
    • Log settings
    • Alert email

    System configuration

    Controls whether a whether user is able to access various system configurations.

    System maintenance

    Controls system maintenance, such as being able to backup system configurations.

    Camera configuration

    Controls camera installation and configuration.

    Read: Provides access to viewing configuration.

    Write: Enables modifying camera configuration.

    Camera status

    Controls camera status.

    Read: Provides access to viewing camera statistics and status.

    Write: Enables modifying camera statistics configuration.

    Camera liveview

    Controls whether a user can monitor the liveview of selected cameras.

    Read: Provides access to the camera's live view streaming.

    Write: Enables annotation.

    Video playback

    Controls whether a user can monitor the recorded video of selected cameras.

    Read: Provides a viewable timeline and playback of existing recordings.

    Write: Enables the ability to download an existing recording.

    Camera analytic

    Controls the camera analytic

    Read: Provides the user viewable results from motion and heat map analysis.

    Write: Enables the creation of motion and heatmap analysis.

    Camera notification

    Controls whether a user has access to various camera notification events, such as facial detection or motion detection.

    Read: Provides viewable notifications.

    Write: Enables the configuration of notifications.

    Camera services

    Controls camera services

    Read: Provides viewable configuration settings.

    Write: Enables modifying configuration.

  5. Select Create.

Configuring access control

Access control determines which camera groups users are allowed to access and when users are allowed to access the cameras.

To configure access control

  1. Go to System > Administrator > Access Control.
  2. Select New.
  3. Enter a name.
  4. Specify a camera group the user is allowed to access.
  5. Add an access schedule by selecting New.
  6. Select the name of the schedule and whether to deny or allow access from the Access type drop-down menu.
  7. Select Create.