Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.1
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home 8.0.1 Administration Guide

    User groups

    User groups

    Users can be assigned to groups during user account configuration (see Editing a user), or by editing the groups to add users to it.

    To view the user groups list, go to Authentication > User Management > User Groups.

    note icon

    User groups can be created for MAC devices. However, MAC devices will only be available to add in a MAC user group after devices have been created or imported.

    See MAC devices for more information.

    The user groups list shows the following information:

    Create New

    Select to create user groups.

    Import

    Select to import user groups from a CSV file.

    See Importing user groups.

    Export

    Select to export the user group list to a CSV file.

    Delete

    Select to delete the selected user groups.

    Edit

    Select to edit the selected user groups.

    Search

    Enter a search term in the search field, then select Search to search the user group list.
    To create a new user group:
    1. Go to Authentication > User Management > User Groups and select Create New.
    2. Enter the following information:

      Name

      Enter a name for the group.

      Type

      Select the type of group:

      • Local (default)

      • Remote LDAP

      • Remote RADIUS

      • Remote SAML

      • MAC

      Subtype

      Select from the following three options:

      • LDAP directory group: Maps to a group object at the specified Distinguished Name in the remote LDAP directory.

      • List of users

      • LDAP filter (advanced) (default): Queries the remote LDAP server with a custom filter that returns the list of member users.

      This option is only available if Type is Remote LDAP.

      Visible to Sponsors

      Enable to make the user group visible to sponsors in the Sponsor Portal.

      This option is only available if Type is Local.

      Users

      Select users from the search box.

      This option is only available if Type is Local.

      Password policy

      Select a password policy from the dropdown.

      A default password policy is already selected, see Passwords.

      This option is only available if Type is Local.

      Usage Profile

      Enable to determine user time and data usage on a granular level.

      Select a usage profile from the dropdown. At least one usage profile must already be configured, see Usage profile.

      This option is only available if Type is Local, Remote LDAP, or Remote RADIUS.

      Remote LDAP

      Select a remote LDAP server from the dropdown menu. At least one remote LDAP server must already be configured, see Remote authentication servers.

      This option is only available if Type is Remote LDAP.

      Remote RADIUS

      Select a remote RADIUS server from the dropdown menu. At least one remote RADIUS server must already be configured, see Remote authentication servers.

      This option is only available if Type is Remote RADIUS.

      LDAP filter

      Enter an LDAP filter.

      Optionally, select Test filter to ensure that the filter works as expected.

      Selecting Set Group Filter imports the Distinguished name of the selected LDAP group only.

      Select Set Group Filter to set the LDAP filter. This opens the Set Group Filter window where you can select one or more groups within the tree to build the LDAP filter string. Click Use Filter to confirm the selection.

      Once the groups have been selected, the LDAP filter string is set to the proper syntax that filters the selected groups.

      The objectClass and the memberOf portion must be set according to the User object class and the Group membership attribute setting of the remote LDAP server configuration respectively. See LDAP.

      If the LDAP filter is already configured with a non-empty value, selecting Set Group Filter attempts to interpret the LDAP filter value to preselect the already configured groups in the LDAP tree. However, if the LDAP filter value does not match the string generated by Set Group Filter, the existing filter is ignored, and Set Group Filter opens with no preselected groups. Clicking Use Filter overwrites the previous LDAP filter.

      Select Test Filter to test that the filter functions as expected. FortiAuthenticator shows an LDAP tree with all the users that match the current remote LDAP server setting (i.e., the users that the sync rule syncs when it runs).

      This option is only available if Type is Remote LDAP and Subtype is set to LDAP filter (advanced).

      LDAP users

      Select remote LDAP users from the LDAP users search box.

      This option is only available if Type is Remote LDAP and Subtype is set to List of users.

      RADIUS users

      Select remote RADIUS users from the RADIUS users search box.

      This option is only available if Type is Remote RADIUS.

      Remote saml

      Select a remote SAML server from the dropdown menu. At least one remote SAML server must already be configured, see Remote authentication servers.

      This option is only available if Type is Remote SAML.

      SAML users

      Select remote SAML users from the SAML users search box.

      This option is only available if Type is Remote SAML.

      MAC devices

      Select from Available MAC Devices and move them to the Chosen MAC Devices box to add them to the group.

      This option is only available if Type is MAC.

      TACACS+ authorization

      rule

      Select a TACACS+ authorization rule to apply to the user group.

      Include for FSSO

      Enable to specify if the remote LDAP group is included for FSSO.

      The option is disabled by default.

      The option is only available when the Type is Remote LDAP and Subtype is List of Users.

      RADIUS Attributes

      See RADIUS attributes.

      SAML Assertion Attributes

      Select Add SAML Assertion Attribute and enter the Attribute name and the Attribute value.

      To add additional SAML assertion attributes, select Add SAML Assertion Attribute.

    3. Select Save to create the new group.
    To edit a user group:
    1. In the user group list, select the group that you need to edit.
    2. Edit the settings as required. The settings are the same as when creating a new group.
    3. Select Save to apply your changes.

    User groups for MAC-based RADIUS authentication

    Once created, MAC user groups can then be used under the MAC-based authentication section of RADIUS clients, under Authentication > RADIUS Service > Clients. See RADIUS service for more information.

    Importing user groups

    To import user groups:
    1. From the user group list, select Import.

      The Import FAC groups page opens.

    2. Select the following:

      FAC group file (.csv)

      Select Upload a file, locate the CSV file on your computer, and click Open.

      Advanced options

      Action to take for existing groups missing from the CSV file

      You can select the action to take for existing groups missing from the CSV file:

      • Keep groups

      • Delete groups

    3. Select Import to import user groups.
    Previous
    Next

    User groups

    User groups

    Users can be assigned to groups during user account configuration (see Editing a user), or by editing the groups to add users to it.

    To view the user groups list, go to Authentication > User Management > User Groups.

    note icon

    User groups can be created for MAC devices. However, MAC devices will only be available to add in a MAC user group after devices have been created or imported.

    See MAC devices for more information.

    The user groups list shows the following information:

    Create New

    Select to create user groups.

    Import

    Select to import user groups from a CSV file.

    See Importing user groups.

    Export

    Select to export the user group list to a CSV file.

    Delete

    Select to delete the selected user groups.

    Edit

    Select to edit the selected user groups.

    Search

    Enter a search term in the search field, then select Search to search the user group list.
    To create a new user group:
    1. Go to Authentication > User Management > User Groups and select Create New.
    2. Enter the following information:

      Name

      Enter a name for the group.

      Type

      Select the type of group:

      • Local (default)

      • Remote LDAP

      • Remote RADIUS

      • Remote SAML

      • MAC

      Subtype

      Select from the following three options:

      • LDAP directory group: Maps to a group object at the specified Distinguished Name in the remote LDAP directory.

      • List of users

      • LDAP filter (advanced) (default): Queries the remote LDAP server with a custom filter that returns the list of member users.

      This option is only available if Type is Remote LDAP.

      Visible to Sponsors

      Enable to make the user group visible to sponsors in the Sponsor Portal.

      This option is only available if Type is Local.

      Users

      Select users from the search box.

      This option is only available if Type is Local.

      Password policy

      Select a password policy from the dropdown.

      A default password policy is already selected, see Passwords.

      This option is only available if Type is Local.

      Usage Profile

      Enable to determine user time and data usage on a granular level.

      Select a usage profile from the dropdown. At least one usage profile must already be configured, see Usage profile.

      This option is only available if Type is Local, Remote LDAP, or Remote RADIUS.

      Remote LDAP

      Select a remote LDAP server from the dropdown menu. At least one remote LDAP server must already be configured, see Remote authentication servers.

      This option is only available if Type is Remote LDAP.

      Remote RADIUS

      Select a remote RADIUS server from the dropdown menu. At least one remote RADIUS server must already be configured, see Remote authentication servers.

      This option is only available if Type is Remote RADIUS.

      LDAP filter

      Enter an LDAP filter.

      Optionally, select Test filter to ensure that the filter works as expected.

      Selecting Set Group Filter imports the Distinguished name of the selected LDAP group only.

      Select Set Group Filter to set the LDAP filter. This opens the Set Group Filter window where you can select one or more groups within the tree to build the LDAP filter string. Click Use Filter to confirm the selection.

      Once the groups have been selected, the LDAP filter string is set to the proper syntax that filters the selected groups.

      The objectClass and the memberOf portion must be set according to the User object class and the Group membership attribute setting of the remote LDAP server configuration respectively. See LDAP.

      If the LDAP filter is already configured with a non-empty value, selecting Set Group Filter attempts to interpret the LDAP filter value to preselect the already configured groups in the LDAP tree. However, if the LDAP filter value does not match the string generated by Set Group Filter, the existing filter is ignored, and Set Group Filter opens with no preselected groups. Clicking Use Filter overwrites the previous LDAP filter.

      Select Test Filter to test that the filter functions as expected. FortiAuthenticator shows an LDAP tree with all the users that match the current remote LDAP server setting (i.e., the users that the sync rule syncs when it runs).

      This option is only available if Type is Remote LDAP and Subtype is set to LDAP filter (advanced).

      LDAP users

      Select remote LDAP users from the LDAP users search box.

      This option is only available if Type is Remote LDAP and Subtype is set to List of users.

      RADIUS users

      Select remote RADIUS users from the RADIUS users search box.

      This option is only available if Type is Remote RADIUS.

      Remote saml

      Select a remote SAML server from the dropdown menu. At least one remote SAML server must already be configured, see Remote authentication servers.

      This option is only available if Type is Remote SAML.

      SAML users

      Select remote SAML users from the SAML users search box.

      This option is only available if Type is Remote SAML.

      MAC devices

      Select from Available MAC Devices and move them to the Chosen MAC Devices box to add them to the group.

      This option is only available if Type is MAC.

      TACACS+ authorization

      rule

      Select a TACACS+ authorization rule to apply to the user group.

      Include for FSSO

      Enable to specify if the remote LDAP group is included for FSSO.

      The option is disabled by default.

      The option is only available when the Type is Remote LDAP and Subtype is List of Users.

      RADIUS Attributes

      See RADIUS attributes.

      SAML Assertion Attributes

      Select Add SAML Assertion Attribute and enter the Attribute name and the Attribute value.

      To add additional SAML assertion attributes, select Add SAML Assertion Attribute.

    3. Select Save to create the new group.
    To edit a user group:
    1. In the user group list, select the group that you need to edit.
    2. Edit the settings as required. The settings are the same as when creating a new group.
    3. Select Save to apply your changes.

    User groups for MAC-based RADIUS authentication

    Once created, MAC user groups can then be used under the MAC-based authentication section of RADIUS clients, under Authentication > RADIUS Service > Clients. See RADIUS service for more information.

    Importing user groups

    To import user groups:
    1. From the user group list, select Import.

      The Import FAC groups page opens.

    2. Select the following:

      FAC group file (.csv)

      Select Upload a file, locate the CSV file on your computer, and click Open.

      Advanced options

      Action to take for existing groups missing from the CSV file

      You can select the action to take for existing groups missing from the CSV file:

      • Keep groups

      • Delete groups

    3. Select Import to import user groups.
    Previous
    Next