Open topic with navigation

User Permissions

When a user attempts to access an object (cluster, server, server pool, VLAN, etc.) on FortiADC, the system determines whether the user has permission to access the object as follows:

1. If the user’s definition has the admin flag enabled, then access is granted.
2. Otherwise, the user must have specific permission granted on the object for the access mode being attempted. For example, if the user attempts to display a cluster, then the user must have read permission on the cluster.

Permission to access an object is granted in one of two ways:

• The permit_object command gives the user the specified access permissions on the specified object.
• The permit_objlist command gives the user access permissions on all objects of a particular type as listed in the object list specified on the command line.

Using permit_object to Assign User Permissions on a Single Object

The user context permit_object command has the following syntax:

permit_object perm type object_name

For example, the following command executed in the global context assigns read and write permission to the server sv00 for the existing login user1:

Using permit_objlist to Assign User Permissions on a Group of Objects

The user context permit_objlist command has the following syntax for assigning read, write, and delete permissions:

This form of the permit_objlist command assigns the given permission (perm) on all objects of the specified type that appear in the object list specified by objlist_name. The command arguments for assigning permission to objects in an object list are as follows:

• perm - One or more of the following permissions: read, write, delete. Multiple permissions must be separated by commas. If spaces are included, the entire list of permissions must be enclosed in quotes.
• type - One of the following object types: cert,cluster, crl,geocluster,geosite,port,server,srvpool,subnet,user,vlan.
• objlist_name - The name of an existing object list.

For example, the following command executed in the global context assigns read and write permission to all of the servers listed in the object list objlist1 for the login user1:

For more information on object lists, please see Object List Commands.

Using permit_objlist to Allow a User to Create Objects

The user context permit_objlist command has the following syntax for assigning the create permission to a user:

• This form of the permit_objlist command allows the user to create objects of the specified type. The command arguments for assigning permission to objects in an object list are as follows:
• type - One of the following object types: cert,cluster,crl,geocluster,geosite,port,server, srvpool,subnet,user,vlan.
• default - Specifies that objects created by this user will only be visible to the user creating the object and any user with the admin flag set.
• objlist_name - Specifies that the user can supply the given object list name as an argument when creating objects of the specified type. An entry for the created object is placed in the object list. Objects created in this manner will be visible to other users who have permission to use this object list.

For example, the following command executed in the global context allows user1 to create servers that other non-admin users cannot access:

The following command allows user1 to create servers and specify the objlist1 object list when creating a server, thus adding the new server to objlist1: