Fortinet white logo
Fortinet white logo

Administration Guide

User groups

User groups

A user group contains a list of local and remote users.

Security policies allow access to specified user groups only. This restricted access enforces Role Based Access Control (RBAC) to your organization’s network and its resources. Users must be in a group and that group must be part of the security policy.

Using the GUI:
  1. Go to System > User > Group.
  2. Select Add Group.
  3. Enter the group name.
  4. Select which available users will be members of the new user group.
  5. Enable to make the user account active.
  6. If you want to use an authentication server, select Add Server.
    • Select the server name. If no server name is available, go to System > Authentication to add an authentication server.
    • Enter a group name or select Any.
  7. Select Add Group.
Using the CLI:

config user group

edit <groupname>

set authtimeout <timeout>

set group-type <grp_type>

set http-digest-realm <attribute>

set member <names>

config match

edit <match_id>

set group-name <gname_str>

set server-name <srvname_str>

end

end

The following table describes the parameters:

Field

Description

groupname

Identifies the user group.

authtimeout <timeout>

Sets the authentication timeout for the user group. The range is 1 to 480 minutes. If this field is set to 0, the global authentication timeout value is used.

group-type <grp_type>

Enter the group type. <grp_type> determines the type of users and is one of the following:

  • firewall—FortiSwitch users defined in user local, user ldap, or user radius
  • fsso-service—Directory Service users

http-digest-realm <attribute>

Enter the realm attribute for MD5-digest authentication.

member <names>

Enter the names of users, peers, LDAP servers, or RADIUS servers to add to the user group. Separate the names with spaces. To add or remove names from the group, you must re-enter the whole list with the additions or deletions required.

config match fields

<match_id>

Enter an ID for the entry.

group-name <gname_str>

Identifies the matching group on the remote authentication server.

server-name <srvname_str>

Specifies the remote authentication server.

User groups

User groups

A user group contains a list of local and remote users.

Security policies allow access to specified user groups only. This restricted access enforces Role Based Access Control (RBAC) to your organization’s network and its resources. Users must be in a group and that group must be part of the security policy.

Using the GUI:
  1. Go to System > User > Group.
  2. Select Add Group.
  3. Enter the group name.
  4. Select which available users will be members of the new user group.
  5. Enable to make the user account active.
  6. If you want to use an authentication server, select Add Server.
    • Select the server name. If no server name is available, go to System > Authentication to add an authentication server.
    • Enter a group name or select Any.
  7. Select Add Group.
Using the CLI:

config user group

edit <groupname>

set authtimeout <timeout>

set group-type <grp_type>

set http-digest-realm <attribute>

set member <names>

config match

edit <match_id>

set group-name <gname_str>

set server-name <srvname_str>

end

end

The following table describes the parameters:

Field

Description

groupname

Identifies the user group.

authtimeout <timeout>

Sets the authentication timeout for the user group. The range is 1 to 480 minutes. If this field is set to 0, the global authentication timeout value is used.

group-type <grp_type>

Enter the group type. <grp_type> determines the type of users and is one of the following:

  • firewall—FortiSwitch users defined in user local, user ldap, or user radius
  • fsso-service—Directory Service users

http-digest-realm <attribute>

Enter the realm attribute for MD5-digest authentication.

member <names>

Enter the names of users, peers, LDAP servers, or RADIUS servers to add to the user group. Separate the names with spaces. To add or remove names from the group, you must re-enter the whole list with the additions or deletions required.

config match fields

<match_id>

Enter an ID for the entry.

group-name <gname_str>

Identifies the matching group on the remote authentication server.

server-name <srvname_str>

Specifies the remote authentication server.