Fortinet black logo

EMS Administration Guide

Configuring admin roles

Configuring admin roles

You can use admin roles to define the permissions each administrator account has in FortiClient EMS. You can use one of the four default admin roles in FortiClient EMS (super administrator, standard administrator, endpoint administrator, restricted administrator) or create a new admin role to assign to an administrator account. Each admin role can include permissions from three categories: endpoint permissions, policy permissions, and settings permissions.

The following describes the four default admin roles in FortiClient EMS. You cannot edit or delete these admin roles.

Name

Description

Super administrator

Most privileged admin role. Complete access to all FortiClient EMS permissions, including modification, user permissions, approval, discovery, and deployment. Only built-in role that has access to the Administration section of the GUI. Has access to all configured Windows and LDAP servers and users and has the authority to configure user privileges and permissions.

The default admin account is configured as a Super Administrator and cannot be changed to another admin role.

Standard administrator

Includes all endpoint and policy permissions, and read-only permissions to settings permissions.

Endpoint administrator

Includes all endpoint permissions and read-only permissions to policy and settings permissions.

Restricted administrator

No permissions enabled.

For admin roles that are not authorized for certain tasks or devices, EMS hides or disables the related menu items, items in content pages, and buttons.

Configuring admin roles

You can use admin roles to define the permissions each administrator account has in FortiClient EMS. You can use one of the four default admin roles in FortiClient EMS (super administrator, standard administrator, endpoint administrator, restricted administrator) or create a new admin role to assign to an administrator account. Each admin role can include permissions from three categories: endpoint permissions, policy permissions, and settings permissions.

The following describes the four default admin roles in FortiClient EMS. You cannot edit or delete these admin roles.

Name

Description

Super administrator

Most privileged admin role. Complete access to all FortiClient EMS permissions, including modification, user permissions, approval, discovery, and deployment. Only built-in role that has access to the Administration section of the GUI. Has access to all configured Windows and LDAP servers and users and has the authority to configure user privileges and permissions.

The default admin account is configured as a Super Administrator and cannot be changed to another admin role.

Standard administrator

Includes all endpoint and policy permissions, and read-only permissions to settings permissions.

Endpoint administrator

Includes all endpoint permissions and read-only permissions to policy and settings permissions.

Restricted administrator

No permissions enabled.

For admin roles that are not authorized for certain tasks or devices, EMS hides or disables the related menu items, items in content pages, and buttons.