Configuring administrator accounts and access profiles
The Administrator submenu configures administrator accounts and access profiles.
This topic includes:
Configuring administrator accounts
System > Administrator > Administrator displays a list of the FortiVoice unit’s administrator accounts and the trusted host IP addresses administrators use to log in (if configured).
By default, FortiVoice units have a single administrator account, admin
. For more granular control over administrative access, you can create additional administrator accounts with restricted permissions.
To view and configure administrator accounts
- Go to System > Administrator > Administrator.
GUI field
Description
Enabled
Displays the administrator status.
Name
Displays the name of the administrator account.
Admin Profile
The administrator profile that determines which functional areas the administrator account may view or affect.
Authentication Type
The administrator authentication type: Local,LDAP or Single Sign On.
Authentication Profile
The LDAP authentication profile. For more information, see Configuring LDAP settings.
Trusted Hosts
Displays the IP address and netmask from which the administrator can log in.
- Either click New to add an account or double-click an account to modify it.
A dialog appears.
- Configure the following:
GUI field
Description
Enabled
Click to activate the administrator status. By default, this is enabled.
Administrator
Enter the name for this administrator account.
The name can contain numbers (0‑9), uppercase and lowercase letters (A‑Z, a‑z), hyphens ( - ), and underscores ( _ ). Other special characters and spaces are not allowed.
Email address
Enter the administrator’s email address.
Associate extension
If the Authentication type is Single Sign On, select an extension.
Using the associate extension and single sign on (SSO), you can log in to the user portal and then access the FortiVoice GUI without having to do a second sign in.
Click Edit to modify the selected extension or click New to configure a new one. For more information about extensions, see Configuring IP extensions.
For more details about using SSO, see Connecting to the FortiVoice GUI.
For more information about SSO configuration, see Configuring single sign on.
Admin profile
Select the name of an admin profile that determines which functional areas the administrator account may view or affect.
Click New to create a new profile or Edit to modify the selected profile. For details, see Configuring administrator profiles.
Access mode
Specify the access privilege: CLI, GUI, or REST API.
REST API is needed for security fabric configuration. See Configuring FortiVoice to join the Security Fabric.
Authentication type
Select an administrator authentication type: Local, RADIUS, LDAP, or Single Sign On.
For information about single sign on, see Configuring single sign on.
New password
Enter this account’s password.
The password can contain any character except spaces.
This field does not appear if Authentication type is LDAP.
Do not enter a FortiVoice administrator password less than six characters long. For better security, enter a longer password with a complex combination of characters and numbers, and change the password regularly. Failure to provide a strong password could compromise the security of your FortiVoice unit.
Confirm password
Enter this account’s password again to confirm it.
This field does not appear if Authentication type is LDAP.
LDAP profile
If you select LDAP for Authentication type, select an LDAP authentication profile. For more information, see Configuring LDAP settings.
Trusted hosts type
Select a trusted host type:
- User defined: Add details about the hosts in Trusted Hosts.
- RFC 1918 predefined: FortiVoice allows connections from any private IP addresses specified by the request for comment 1918 (RFC 1918).
Trusted hosts
Enter an IPv4 or IPv6 address or subnet from which this administrator can log in.
If you want the administrator to access the FortiVoice unit from any IP address, use
0.0.0.0/0.0.0.0
.Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiVoice unit from your private network by typing
192.168.1.0/255.255.255.0
.For additional security, restrict all trusted host entries to administrative hosts on your trusted private network. For example, if your FortiVoice administrators log in only from the 10.10.10.10/24 subnet, to prevent possibly fraudulent login attempts from unauthorized locations, you could configure that subnet in the Trusted Host #1, Trusted Host #2, and Trusted Host #3 fields.
For information on restricting administrative access protocols that can be used by these hosts, see Editing network interfaces.
Click the + sign to add additional IP addresses or subnets from which the administrator can log in.
Select language
Select this administrator account’s preference for the display language of the GUI.
Select theme
Select this administrator account’s preference for the display theme or click Use Current to choose the theme currently in effect.
The administrator may switch the theme at any time during a session by clicking Next Theme.
Department only
Select the checkbox if this is a department administrator.
Description
Select Edit to enter any comments for the administrator account.
Departments
This option is only available if you select Department only.
Click the + sign to add the department to which the administrator belongs.
- Click Create.
Configuring administrator profiles
System > Administrator > Admin Profile displays a list of administrator access profiles.
Administrator profiles govern which areas of the GUI and CLI that an administrator can access, and whether or not they have the permissions necessary to change the configuration or otherwise modify items in each area.
To configure administrator access profiles
- Go to System > Administrator > Admin Profile.
- Either click New to add an account or double-click an access profile to modify it.
- In Profile name, enter the name for this access profile.
- For each access control option, select the permissions to be granted to administrator accounts associated with this access profile:
- None
- Read Only
- Read-Write
- Click Create.