User Management : Managing administrator users : Administrator user overview
Administrator user overview
In its factory default configuration, FortiADC has one administrator account named admin. This administrator has permissions that grant Read-Write access to all system functions.
Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted. The admin account is similar to a root administrator account. This account always has full permission to view and change all system configuration options, including viewing and changing all other administrator accounts. Its name and permissions cannot be changed. It is the only administrator account that can reset another administrator’s password without being required to enter that administrator’s existing password.
To prevent accidental changes to the configuration, it is best if only network administrators—and if possible, only a single person—use the admin account. You can use the admin account to configure more administrator accounts for other people. Accounts can be made with different scopes of access. If you require such role-based access control (RBAC) restrictions, or if you simply want to harden security or prevent inadvertent changes to other administrators’ areas, you can do so using access profiles. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.
Basic steps
1. Configure access profiles to provision permissions to roles.
2. Optional. Create RADIUS or LDAP server configurations if you want to use a RADIUS or LDAP server to authenticate administrators. Otherwise, you can use local authentication. The local authentication server for administrator accounts is separate from the local authentication server for destination server users.
3. Create administrator user accounts with permissions provisioned by the profiles.