Fortinet black logo

Administration Guide

Home FortiRecorder 7.0.1 Administration Guide
7.0.1
7.2.0
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.0
6.0.0
2.7.2
2.7.1
2.7.0
2.6.0

Configuring user and administrator accounts

Configuring user and administrator accounts

In its factory default configuration, FortiRecorder has one user account, named admin. However most deployments require more logins for other system administrators and users such as security guards.

Best practice is to create a separate user account for each person, and follow the principle of least privilege: only grant administrator-level access if the person's role requires it. This reduces the risk of accidents and malicious insiders. For example, IT personnel need logins with administrator permissions to do their job, but finance personnel usually do not. As a result, you would assign different profiles to those users. You must also deactivate a user account if that person leaves the organization, and create new accounts for new employees. Best practice is for larger organizations to do this centrally with a remote authentication server such as FortiAuthenticator, Microsoft Active Directory, or Red Hat Identity Management, instead of individually on each server, each FortiRecorder, etc. This saves time and gives consistent access control and password management.

User accounts on FortiRecorder have privileges that are determined by their assigned profile.

To configure an administrator or user account

  1. Go to System > Administrator > Administrator.

  2. Click New.

  3. Expand the Preference section.

    Configure the following settings:

    Setting Name

    Description

    Username

    Type a unique name for the account, such as jdoe, that can be referenced in other parts of the configuration.

    Do not use spaces or special characters. The maximum length is 35 characters.

    Caution

    This is the entire user name that the person must enter when logging in to the CLI or GUI. Depending on Authentication, your external authentication server may require that you enter both the user name and the domain part, such as guard@example.com.

    Trusted hosts

    Type the IP address and netmask from which the account is allowed to log in to the FortiRecorder appliance. You can specify up to 10 trusted network areas. Each area can be a single computer, a whole subnet, or a mixture.

    To allow login attempts from any IP address, enter:

    0.0.0.0/0

    To allow logins only from one specific computer, enter its IP address and a 32-bit netmask, such as:

    172.168.1.50/32

    Caution

    If you configure trusted hosts, do so for all accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one account unrestricted (allow connections from 0.0.0.0/0), the FortiRecorder appliance must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name's trusted hosts list.

    Caution

    For improved security, for each administrator, restrict their trusted host address to one IP addresses: the computer that they will use to log on.

    If you allow login from the Internet, set a longer and more complex Password, and enable only secure administrative access protocols (HTTPS and SSH) to minimize the security risk. For information on administrative access protocols, see Configuring network interfaces.

    Admin profile

    Select a profile that matches the permissions that you want the user to have. Either click the New button to create a new profile, or select an existing profile from the dropdown menu. For more information, see Configuring administrator profiles.

    Access control

    Select a profile that matches the camera permissions that you want the user to have. Either click the New button to create a new profile, or select an existing profile from the dropdown list. See also Configuring device access control.

    This field is available only if Admin profile is not SuperAdminProfile. (Root administrator accounts have full privileges.)

    Authentication

    Select an authentication type:

    • Local — Authenticate using an account whose name, password, and other settings are stored locally, in your FortiRecorder appliance's configuration.
    • RADIUS — Authenticate by querying the remote RADIUS server that stores the account's name and password. Also configure RADIUS profile and Check permission attribute on RADIUS server. See Configuring RADIUS authentication.
    • RADIUS+Local — Authenticate either by querying the remote RADIUS server that stores the account's name and password, or by querying the accounts stored locally, in the FortiRecorder appliance's configuration. Also configure RADIUS profile and Check permission attribute on RADIUS server.
    • LDAP — Authenticate by querying a remote LDAP server that stores the account's name and password. See Configuring LDAP authentication.
    • Single Sign On — Authenticate by querying a SAML SSO IdP server such as FortiAuthenticator or Ping Identity. See Configuring single sign-on (SSO) authentication.

    Password

    and

    Confirm password

    Enter a password for the account.

    This field is available only when Authentication is Local or RADIUS + Local. To require strong passwords, see Configuring the public port numbers and domain name.

    Preference

    Display name

    Enter a display name for the recipient, such as FortiRecorder admin.

    Email address

    Enter the person's email address or an email alias, such as all-admins@example.com, that will receive snapshot notifications, if any, sent by FortiRecorder.

    Theme

    Select this administrator account's preference for the initial GUI color scheme or click Use Current to choose the theme currently in effect for your own GUI session. See also Customizing the theme

    The administrator may switch the theme at any time after he or she logs in by clicking Next Theme in the top right corner.

    Notification

    Select one of the notification methods:

    • Email
    • SMS
    • Mobile app

    For SMS notification method, specify the SMS service provider and SMS recipient information. See also Configuring notification triggers.

    This setting appears only if Admin profile is SuperAdminProfile.

    Devices

    FortiRecorder Mobile app installations that are associated with this account.

    SMS Provider SMS Number

    Enter the user's text messaging service provider and mobile phone number.

    QR Code

    When the user's account is created, FortiRecorder uses your specified email server (see Configuring email settings for notifications) to send them a QR code with an invitation to log in. The person can use the FortiRecorder Mobile app to scan the QR code.

    If they did not receive the email and you need to assist them, you can click either:

    • Click to get: Open the QR code image in a new browser tab or window so that you can copy or download it.
    • Send to email: Resend the QR code to the address in Email address.

Configuring administrator profiles

Profiles act as access controls that grant permissions to each user for accessing specific FortiRecorder features.

For example, you might create a profile for administrators that grants access to all functions, and a profile for security guards that only grants access to view and operate the cameras.

To configure an administrator profile

  1. Go to System > Administrator > Admin Profile.
  2. Click New.
  3. Enter a profile name.

  4. Specify the access privileges. Profiles can have read-only, read-write, or no access rights to the following access categories:

    Access Control

    Description

    System access

    Controls system login and network settings of FortiRecorder:

    • Dashboard > Status
    • GUI console
    • System > Network
    • System > Administrator
    • System > Authentication
    • System > Certificate

    System status

    Controls other system settings, such as

    • Time
    • Remote storage
    • Log settings
    • Alert email

    System configuration

    Controls whether a whether user is able to access various system configurations.

    System maintenance

    Controls access to System > Maintenance, such as being able to back up the system configuration.

    Camera configuration

    Controls camera installation and configuration.

    Read: Provides access to viewing configuration.

    Write: Enables modifying camera configuration.

    Camera status

    Controls camera status.

    Read: Provides access to viewing camera statistics and status.

    Write: Enables modifying camera statistics configuration.

    Camera live view

    Controls whether a user can monitor the live video stream of selected cameras. See also Viewing live video.

    Read: Provides access to the camera's live video feed.

    Write: Enables annotation.

    Video playback

    Controls whether a user can play the previously recorded video of selected cameras. See also Viewing previously recorded video.

    Read: Provides a viewable timeline and playback of existing recordings.

    Write: Enables the ability to download an existing recording.

    Camera analytic

    Controls the camera-based analysis.

    Read: Provides the user viewable results from motion and heat map analysis.

    Write: Enables the creation of motion and heatmap analysis.

    Camera notification

    Controls whether a user can receive camera notification events, such as facial detection or motion detection. See also Configuring notification triggers.

    Read: Provides viewable notifications.

    Write: Enables the configuration of notifications.

    Camera services

    Controls camera services.

    Read: Provides viewable configuration settings.

    Write: Enables modifying configurations.

    Camera ACS service

    Controls ACS service. See also Integrating with an ACS.

    Read: Provides viewable configuration settings.

    Write: Enables modifying configurations.
  5. Click Create.
  6. To use the profile, select it when configuring a user account. For details, see Configuring user and administrator accounts.

Configuring device access control

Access control determines permissions for when and which camera groups the users are allowed to access.

To configure access control

  1. Go to System > Administrator > Access Control.
  2. Click New.

  3. Configure the following settings:

    Setting Name

    Description

    Name

    Type a unique name for the device access control rule.

    Camera Group List

    To include cameras in the policy, select their name and then click the >> (right arrow) button to move them into the column on the right. See also Grouping cameras.

    Access

    Click New to add a new policy to the rule, or double-click an existing rule to edit it. Then enter:

    • Name: Select the name of an existing schedule, or click the + (plus) button to add a new schedule. See also Configuring a schedule.
    • Access type: Select either Allow or Deny. If the user tries to access the camera when the schedule denies it, then an error message displays: Access not permitted at this time.
  4. To use the profile, select it when configuring a user account. For details, see Configuring user and administrator accounts.
Previous
Next

Configuring user and administrator accounts

In its factory default configuration, FortiRecorder has one user account, named admin. However most deployments require more logins for other system administrators and users such as security guards.

Best practice is to create a separate user account for each person, and follow the principle of least privilege: only grant administrator-level access if the person's role requires it. This reduces the risk of accidents and malicious insiders. For example, IT personnel need logins with administrator permissions to do their job, but finance personnel usually do not. As a result, you would assign different profiles to those users. You must also deactivate a user account if that person leaves the organization, and create new accounts for new employees. Best practice is for larger organizations to do this centrally with a remote authentication server such as FortiAuthenticator, Microsoft Active Directory, or Red Hat Identity Management, instead of individually on each server, each FortiRecorder, etc. This saves time and gives consistent access control and password management.

User accounts on FortiRecorder have privileges that are determined by their assigned profile.

To configure an administrator or user account

  1. Go to System > Administrator > Administrator.

  2. Click New.

  3. Expand the Preference section.

    Configure the following settings:

    Setting Name

    Description

    Username

    Type a unique name for the account, such as jdoe, that can be referenced in other parts of the configuration.

    Do not use spaces or special characters. The maximum length is 35 characters.

    Caution

    This is the entire user name that the person must enter when logging in to the CLI or GUI. Depending on Authentication, your external authentication server may require that you enter both the user name and the domain part, such as guard@example.com.

    Trusted hosts

    Type the IP address and netmask from which the account is allowed to log in to the FortiRecorder appliance. You can specify up to 10 trusted network areas. Each area can be a single computer, a whole subnet, or a mixture.

    To allow login attempts from any IP address, enter:

    0.0.0.0/0

    To allow logins only from one specific computer, enter its IP address and a 32-bit netmask, such as:

    172.168.1.50/32

    Caution

    If you configure trusted hosts, do so for all accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one account unrestricted (allow connections from 0.0.0.0/0), the FortiRecorder appliance must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name's trusted hosts list.

    Caution

    For improved security, for each administrator, restrict their trusted host address to one IP addresses: the computer that they will use to log on.

    If you allow login from the Internet, set a longer and more complex Password, and enable only secure administrative access protocols (HTTPS and SSH) to minimize the security risk. For information on administrative access protocols, see Configuring network interfaces.

    Admin profile

    Select a profile that matches the permissions that you want the user to have. Either click the New button to create a new profile, or select an existing profile from the dropdown menu. For more information, see Configuring administrator profiles.

    Access control

    Select a profile that matches the camera permissions that you want the user to have. Either click the New button to create a new profile, or select an existing profile from the dropdown list. See also Configuring device access control.

    This field is available only if Admin profile is not SuperAdminProfile. (Root administrator accounts have full privileges.)

    Authentication

    Select an authentication type:

    • Local — Authenticate using an account whose name, password, and other settings are stored locally, in your FortiRecorder appliance's configuration.
    • RADIUS — Authenticate by querying the remote RADIUS server that stores the account's name and password. Also configure RADIUS profile and Check permission attribute on RADIUS server. See Configuring RADIUS authentication.
    • RADIUS+Local — Authenticate either by querying the remote RADIUS server that stores the account's name and password, or by querying the accounts stored locally, in the FortiRecorder appliance's configuration. Also configure RADIUS profile and Check permission attribute on RADIUS server.
    • LDAP — Authenticate by querying a remote LDAP server that stores the account's name and password. See Configuring LDAP authentication.
    • Single Sign On — Authenticate by querying a SAML SSO IdP server such as FortiAuthenticator or Ping Identity. See Configuring single sign-on (SSO) authentication.

    Password

    and

    Confirm password

    Enter a password for the account.

    This field is available only when Authentication is Local or RADIUS + Local. To require strong passwords, see Configuring the public port numbers and domain name.

    Preference

    Display name

    Enter a display name for the recipient, such as FortiRecorder admin.

    Email address

    Enter the person's email address or an email alias, such as all-admins@example.com, that will receive snapshot notifications, if any, sent by FortiRecorder.

    Theme

    Select this administrator account's preference for the initial GUI color scheme or click Use Current to choose the theme currently in effect for your own GUI session. See also Customizing the theme

    The administrator may switch the theme at any time after he or she logs in by clicking Next Theme in the top right corner.

    Notification

    Select one of the notification methods:

    • Email
    • SMS
    • Mobile app

    For SMS notification method, specify the SMS service provider and SMS recipient information. See also Configuring notification triggers.

    This setting appears only if Admin profile is SuperAdminProfile.

    Devices

    FortiRecorder Mobile app installations that are associated with this account.

    SMS Provider SMS Number

    Enter the user's text messaging service provider and mobile phone number.

    QR Code

    When the user's account is created, FortiRecorder uses your specified email server (see Configuring email settings for notifications) to send them a QR code with an invitation to log in. The person can use the FortiRecorder Mobile app to scan the QR code.

    If they did not receive the email and you need to assist them, you can click either:

    • Click to get: Open the QR code image in a new browser tab or window so that you can copy or download it.
    • Send to email: Resend the QR code to the address in Email address.

Configuring administrator profiles

Profiles act as access controls that grant permissions to each user for accessing specific FortiRecorder features.

For example, you might create a profile for administrators that grants access to all functions, and a profile for security guards that only grants access to view and operate the cameras.

To configure an administrator profile

  1. Go to System > Administrator > Admin Profile.
  2. Click New.
  3. Enter a profile name.

  4. Specify the access privileges. Profiles can have read-only, read-write, or no access rights to the following access categories:

    Access Control

    Description

    System access

    Controls system login and network settings of FortiRecorder:

    • Dashboard > Status
    • GUI console
    • System > Network
    • System > Administrator
    • System > Authentication
    • System > Certificate

    System status

    Controls other system settings, such as

    • Time
    • Remote storage
    • Log settings
    • Alert email

    System configuration

    Controls whether a whether user is able to access various system configurations.

    System maintenance

    Controls access to System > Maintenance, such as being able to back up the system configuration.

    Camera configuration

    Controls camera installation and configuration.

    Read: Provides access to viewing configuration.

    Write: Enables modifying camera configuration.

    Camera status

    Controls camera status.

    Read: Provides access to viewing camera statistics and status.

    Write: Enables modifying camera statistics configuration.

    Camera live view

    Controls whether a user can monitor the live video stream of selected cameras. See also Viewing live video.

    Read: Provides access to the camera's live video feed.

    Write: Enables annotation.

    Video playback

    Controls whether a user can play the previously recorded video of selected cameras. See also Viewing previously recorded video.

    Read: Provides a viewable timeline and playback of existing recordings.

    Write: Enables the ability to download an existing recording.

    Camera analytic

    Controls the camera-based analysis.

    Read: Provides the user viewable results from motion and heat map analysis.

    Write: Enables the creation of motion and heatmap analysis.

    Camera notification

    Controls whether a user can receive camera notification events, such as facial detection or motion detection. See also Configuring notification triggers.

    Read: Provides viewable notifications.

    Write: Enables the configuration of notifications.

    Camera services

    Controls camera services.

    Read: Provides viewable configuration settings.

    Write: Enables modifying configurations.

    Camera ACS service

    Controls ACS service. See also Integrating with an ACS.

    Read: Provides viewable configuration settings.

    Write: Enables modifying configurations.
  5. Click Create.
  6. To use the profile, select it when configuring a user account. For details, see Configuring user and administrator accounts.

Configuring device access control

Access control determines permissions for when and which camera groups the users are allowed to access.

To configure access control

  1. Go to System > Administrator > Access Control.
  2. Click New.

  3. Configure the following settings:

    Setting Name

    Description

    Name

    Type a unique name for the device access control rule.

    Camera Group List

    To include cameras in the policy, select their name and then click the >> (right arrow) button to move them into the column on the right. See also Grouping cameras.

    Access

    Click New to add a new policy to the rule, or double-click an existing rule to edit it. Then enter:

    • Name: Select the name of an existing schedule, or click the + (plus) button to add a new schedule. See also Configuring a schedule.
    • Access type: Select either Allow or Deny. If the user tries to access the camera when the schedule denies it, then an error message displays: Access not permitted at this time.
  4. To use the profile, select it when configuring a user account. For details, see Configuring user and administrator accounts.
Previous
Next