User groups
A user group is a list of user identities. An identity can be:
• a local user account (username/password) stored on the FortiGate unit
• a local user account with the password stored on a RADIUS, LDAP, or TACACS+ server
• a PKI user account with digital client authentication certificate stored on the FortiGate unit
• a RADIUS, LDAP, or TACACS+ server, optionally specifying particular user groups on that server
• a user group defined on an FSSO server.
Identity-based policies and some types of VPN configurations allow access to specified user groups only. This restricted access enforces Role Based Access Control (RBAC) to your organization’s network and its resources.Users must be in a group and that group must be part of the security policy.
| You cannot change the type of a group unless the group is empty. |
In most cases, the FortiGate unit authenticates users by requesting their username and password. The FortiGate unit checks local user accounts first. If a match is not found, the FortiGate unit checks the RADIUS, LDAP, or TACACS+ servers that belong to the user group. Authentication succeeds when a matching username and password are found. If the user belongs to multiple groups on a server, those groups will be matched as well.
| FortiOS does not allow username overlaps between RADIUS, LDAP, or TACACS+ servers. |
There are two types of FortiGate user groups: Firewall user groups, and FSSO user groups.