system admin
Use this command to configure FortiWeb administrator accounts. In its factory default configuration, a FortiWeb appliance has one administrator account, named admin
. That administrator has permissions that grant full access to the FortiWeb configuration and firmware. After connecting to the web UI or the CLI using the admin
administrator account, you can configure additional administrator accounts with various levels of access to different parts of the FortiWeb configuration.
Administrators can access the web UI and the CLI through the network, depending on administrator account’s trusted hosts, ADOMs, and the administrative access protocols enabled for each of the FortiWeb appliance’s network interfaces. For details, see system interface, , and Connecting to the CLI.
To prevent multiple administrators from logging in simultaneously, which could allow them to inadvertently overwrite each other’s changes, enable . For details, see . |
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the admingrp
area. For details, see Permissions.
Syntax
config system admin
set accprofile "<access-profile_name>"
set accprofile-override {enable | disable}
set email-address "<contact_email>"
set mobile-number "<cell-phone_str>"
set phone-number "<phone_str>"
set trusthosts "<management-computer_ipv4mask>"
set ip6trusthosts "<management-computer_ipv6mask>"
set type {local-user | remote-user}
set admin-usergroup "<remote-auth-group_name>"
set wildcard {enable | disable}
set force-password-change {enable | disable}
next
end
Variable | Description | Default |
Enter the name of the administrator account, such as Do not use spaces or special characters except the ‘at’ symbol ( To display the list of existing accounts, enter:
Note: This is the user name that the administrator must provide when logging in to the CLI or web UI. If using an external authentication server such as RADIUS or Active Directory, this name will be passed to the server via the remote authentication query. |
No default. | |
Enter the name of an access profile that gives the permissions for this administrator account. See also system accprofile. The maximum length is 63 characters. You can select prof_admin, a special access profile used by the To display the list of existing profiles, enter:
Tip: Alternatively, if your administrator accounts authenticate via a RADIUS query, you can assign their access profile through the RADIUS server using RFC 2548 (http://www.ietf.org/rfc/rfc2548.txt) Microsoft Vendor-specific RADIUS Attributes. On the RADIUS server, create an attribute named:
then set its value to be the name of the access profile that you want to assign to this account. Finally, in the CLI, use accprofile-override {enable | disable} to enable the override. If none is assigned on the RADIUS server, or if it does not match the name of an existing access profile on FortiWeb, FortiWeb will fail back to use the one locally assigned by this setting. |
No default. | |
Enable to use the access profile indicated by the RADIUS query response, and ignore accprofile "<access-profile_name>". This setting applies only if admin-usergroup "<remote-auth-group_name>" is configured to use a RADIUS query to authenticate this account. This setting applies only if ADOMs are enabled. See . |
disable
|
|
Enter the name of the administrative domain (ADOM) to assign and restrict this administrative account to it. You can set multiple ADOMs, each separated with comma ",". This setting applies only if ADOMs are enabled. |
No default. | |
Enter a password for the administrator account. The maximum length is 32 characters. The minimum length is 1 character. For improved security, the password should be at least 8 characters long, be sufficiently complex, and be changed regularly. This setting applies only when |
No default. | |
Enter an email address that can be used to contact this administrator. The maximum length is 63 characters. | No default. | |
Enter the first name of the administrator. The maximum length is 63 characters. | No default. | |
Enter the surname of the administrator. The maximum length is 63 characters. | No default. | |
Enter a cell phone number that can be used to contact this administrator. The maximum length is 63 characters. | No default. | |
Enter a phone number that can be used to contact this administrator. The maximum length is 63 characters. | No default. | |
Enter the IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance. You can specify up to 10 trusted hosts, separated with space. To allow login attempts from any IP address, enter Note: For improved security, restrict all three trusted host addresses to the IP addresses of computers from which only this administrator will log in. |
0.0.0.0 0.0.0.0
|
|
Enter the IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance. You can specify up 10 trusted hosts, separated with space. To allow login attempts from any IP address, enter Caution: If you allow logins from any IP address, consider choosing a longer and more complex password, and limiting administrative access to secure protocols to minimize the security risk. Unlike IPv4, IPv6 does not isolate public from private networks via NAT, and therefore can increase availability of your FortiWeb’s web UI/CLI to IPv6 attackers unless you have carefully configured your firewall/FortiGate and routers. For details about administrative access protocols, see system interface. Note: For improved security, restrict all three trusted host addresses to the IP addresses of computers from which only this administrator will log in. |
::/0
|
|
Select either:
|
No default. | |
Enter the name of the remote authentication group whose settings the FortiWeb appliance will use to connect to a remote authentication server when authenticating login attempts for this account. The maximum length is 63 characters. To display the list of existing groups, enter:
For details about configuring remote authentication groups, see user admin-usergrp. |
No default. | |
Used when administrator accounts authenticate via a RADIUS query. This setting applies only if the value of type {local-user | remote-user} is |
No default. | |
The public key used for connecting to the CLI using a public-private key pair. For more information on connecting to the CLI using a public-private key pair, see “Connecting to the CLI” in the FortiWeb Administration Guide: |
No default. | |
Enable/disable force password change for next login. This field can be configured only when Password Policy is enabled in System > Admin > Settings. |
Disable |
Example
This example configures an administrator account with an access profile that grants only permission to read logs. This account can log in only from an IP address on the management LAN (192.0.2.1/24
), or from one of two specific IP addresses (192.0.2.15
and 192.0.2.50
).
config system admin
edit "log-auditor"
set accprofile "log_read_access"
set password "P@ssw0rd"
set email-address "log-admin@example.com"
set trusthost1 "192.0.2.1 256.256.256.0"
set trusthost2 "192.0.2.15 256.256.256.256"
set trusthost3 "192.0.2.50 256.256.256.256"
set force-password-change enable
end
To display all dashboard status and widget settings, enter: config system admin show |