Creating and Modifying Administrator Accounts
FortiRecorder allows different users to have different access privileges. In its factory default configuration, FortiRecorder has one administrator account named admin. This administrator has permissions that grant full access to FortiRecorder’s settings and features.
Configuring an administrator account
Administrator accounts are accounts created for specific users that allow for the customizing of various privileges on the FortiRecorder.
To configure an account
- Go to System > Administrator > Administrator.
- Select New.
- Expand the preference tab and configure the following settings:
-
Setting Name
Description
Username
Type the name of the account, such as IT, that can be referenced in other parts of the configuration.
Do not use spaces or special characters. The maximum length is 35 characters.
Note: This is the entire user name that the person must provide when logging in to the CLI or web UI. Depending on Authentication, your external authentication server may require that you enter both the user name and the domain part, such as guard@example.com.
Trusted hosts
Type the IP address and netmask from which the account is allowed to log in to the FortiRecorder appliance. You can specify up to 10 trusted network areas. Each area can be a single computer, a whole subnet, or a mixture.
To allow login attempts from any IP address, enter 0.0.0.0/0.
To allow logins only from a single computer, enter its IP address and a 32-bit netmask, such as:
172.168.1.50/32
Caution: If you configure trusted hosts, do so for all accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one account unrestricted (i.e. 0.0.0.0/0), the FortiRecorder appliance must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.
Tip: If you allow login from the Internet, set a longer and more complex Password, and enable only secure administrative access protocols (HTTPS and SSH) to minimize the security risk. For information on administrative access protocols, see “FortiRecorder configuration”.
Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.
Admin profile
Select an Admin profile that matches the access you want the administrator to posses. Create a new profile by selecting the New button or select a preexisting profile from the drop-down menu. For more information, see Configuring admin profiles.
Authentication
Select an authentication:
Local — Authenticate using an account whose name, password, and other settings are stored locally, in the FortiRecorder’s configuration.
RADIUS — Authenticate by querying the remote RADIUS server that stores the account’s name and password. Also configure RADIUS profile and Check permission attribute on RADIUS server.
RADIUS+Local — Authenticate either by querying the remote RADIUS server that stores the account’s name and password, or by querying the accounts stored locally, in the FortiRecorder appliance’s configuration. Also configure RADIUS profile and Check permission attribute on RADIUS server.
LDAP — Authenticate by querying a remote LDAP server that stores the account’s name and password.
Password and Confirm password
Enter a password for the account.
This field is available only when Authentication is Local or RADIUS + Local.
Display name
Enter a name for the recipient, such as FortiRecorder admin.
Email address
Enter the person’s email address or an email alias, such as all-admins@example.com, that will receive snapshot notifications, if any, sent by FortiRecorder.
Theme
Select this administrator account’s preference for the initial web UI color scheme or click Use Current to choose the theme currently in effect for your own web UI session.
The administrator may switch the theme at any time after he or she logs in by clicking Next Theme in the top right corner.
Notification
Select either Email or SMS to send notification messages to this user.
For SMS notification method, specify the SMS service provider and SMS recipient information.
SMS Provider and SMS Number
Enter the user's text messaging service provider and number to have FortiRecorder directly message the user.
Assistant User and Password
If this user has Amazon Alexa and/or IFTTT accounts, specify the account name and password so the user can use Alexa and/or Applets.
Configuring admin profiles
Admin profiles control which FortiRecorder functions users are allowed to access. You can create multiple profiles with multiple access controls. For example, you may want to create a profile for administrators that has access to all functions, while also having a profile for a camera monitor that only has access to specific set of functions in FortiRecorder.
To configure an admin profile
- Go to System > Administrator > Admin Profile.
- Select New.
- Enter a profile name.
- Specify the access privileges. Profiles can have read-only, read-write, or no access rights to the following access categories:
Access Control
Description
System access
Controls settings critical to network accessibility of FortiRecorder
- System Status page
- GUI console
- Network
- Administrator
- Authentication and certificates
System status
Controls other system settings, such as
- Time
- Remote storage
- Log settings
- Alert email
System configuration
Controls whether a whether user is able to access various system configurations.
System maintenance
Controls system maintenance, such as being able to backup system configurations.
Camera configuration
Controls camera installation and configuration.
Read: Provides access to viewing configuration.
Write: Enables modifying camera configuration.
Camera status
Controls camera status.
Read: Provides access to viewing camera statistics and status.
Write: Enables modifying camera statistics configuration.
Camera liveview
Controls whether a user can monitor the liveview of selected cameras.
Read: Provides access to the camera's live view streaming.
Write: Enables annotation.
Video playback
Controls whether a user can monitor the recorded video of selected cameras.
Read: Provides a viewable timeline and playback of existing recordings.
Write: Enables the ability to download an existing recording.
Camera analytic
Controls the camera analytic
Read: Provides the user viewable results from motion and heat map analysis.
Write: Enables the creation of motion and heatmap analysis.
Camera notification
Controls whether a user has access to various camera notification events, such as facial detection or motion detection.
Read: Provides viewable notifications.
Write: Enables the configuration of notifications.
Camera services
Controls camera services
Read: Provides viewable configuration settings.
Write: Enables modifying configuration.
- Select Create.
Configuring access control
Access control determines which camera groups users are allowed to access and when users are allowed to access the cameras.
To configure access control
- Go to System > Administrator > Access Control.
- Select New.
- Enter a name.
- Specify a camera group the user is allowed to access.
- Add an access schedule by selecting New.
- Select the name of the schedule and whether to deny or allow access from the Access type drop-down menu.
- Select Create.