2.4.3 Ensure admin accounts with different privileges have their correct profiles assigned


Verify that users with access to the Fortinet should only have the minimum privileges required for that particular user.


In some organizations, it is necessary to create different levels of administrative accounts. For example, technicians from tier 1 support should not have total access to the system compared to a tier 3 support.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


In this example, the goal is to provide the profile 'tier_1' the ability to view and modify address objects. This sub-privilege is under fwgrp privilege.

FGT1 # config system accprofile
FGT1 (accprofile) # edit 'tier_1'
FGT1 (tier_1) # set fwgrp custom
FGT1 (tier_1) # config fwgrp-permission
FGT1 (fwgrp-permission) # set address read-write
FGT1 (fwgrp-permission) # end
FGT1 (tier_1) # end
FGT1 #

For the GUI, go to:

1. System -> Admin Profiles, select 'tier_1' and click 'Edit'.
2. On 'Firewall', click on 'Custom'.
3. Click on 'Read/Write' option for 'Address'.

In the next example, assign the profile 'tier_1' to the account 'support1'.
In the CLI:

FGT1 # config system admin
FGT1 (admin) # edit 'support1'
FGT1 (support1) # set accprofile 'tier_1'
FGT1 (support1) # end
FGT1 #

For the GUI, go to:

1. System -> Administrators.
2. Select 'support1' and click 'Edit'.
3. Under 'Administrator Profile', select 'tier_1'.

Default Value:

By default, there are only 2 profiles: prof_admin and super_admin. You must select a profile to create an admin account. The system will not automatically choose for you.

See Also


Item Details


References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.3

Plugin: FortiGate

Control ID: 5d21fbec9bbd63bf19eda9f4a698500e7d7975beeffd447c4ed03e7b47e3f027