Fortinet black logo

Administrator settings improvements

Copy Link
Copy Doc ID b195a357-50a9-11e9-94bf-00505692583a:752911
Download PDF

Administrator settings improvements

EMS 6.2.0 introduces five major improvements to administrator settings:

Support for three types of administrators

Administrators can be one of three types of users:

User type

Description

EMS

Created in EMS. This includes the built-in "admin" user.

Windows

Created by the local Windows system.

LDAP

Imported from the domain server.

To create an EMS administrator:
  1. Go to Administration > Administrators. Click Add.
  2. Under User Source, select Create a new user. Click Next.
  3. In the Username field, enter the desired username.
  4. From the Role dropdown list, select the desired role. Click Next.

  5. On the Password tab, create a password for the user. Click Save. Once you save the user, you can view the created user on the Administration > Administrators pane. The Source is listed as EMS.

Support for multiple LDAP servers

You can configure multiple LDAP servers on EMS to import users from.

To configure an LDAP server:
  1. Go to Administration > User Servers. Click Add.
  2. Enter the domain credentials. Click Test. Once the test is successful, click Save.

    In this example, after EMS imports the LDAP server successfully, the Administration > User Servers pane lists two imported LDAP servers.

Permission management based on administrator roles

You can use administrator roles to manage permissions. There are four predefined roles configured with different permissions:

Name

Description

Super administrator

Most privileged admin role. Complete access to all EMS permissions, including modification, user permissions, approval, discovery, and deployment. Only built-in role that has access to the Administration section of the GUI. Has access to all configured Windows and LDAP servers and users and has the authority to configure user privileges and permissions.

The default admin account is configured as a Super Administrator and cannot be changed to another admin role.

Standard administrator

Includes all endpoint and policy permissions, and read-only permissions to settings permissions.

Endpoint administrator

Includes all endpoint permissions and read-only permissions to policy and settings permissions.

Restricted administrator

No permissions enabled.

You can also define a new role with customized permissions.

To define a custom admin role:
  1. Go to Administration > Admin Roles. Click Add.
  2. In the Name field, enter the desired name.
  3. Select the desired permission checkboxes.
  4. Click Save. The role appears on the Administration > Admin Roles pane.

Categorized and refined administrator permissions

When creating or modifying an admin role, all available permissions are categorized into endpoint, policy, and setting permissions. Permissions for new features include permissions related to endpoint policies, host verification, quarantine management, and software inventory.

You can click Click here to hide permissions that are not applicable to Chromebook management to view permissions that only apply to Windows, macOS, and Linux endpoint management.

Restricting login to trusted hosts

With the Trusted Hosts feature, you can allow remote access to EMS only on defined trusted hosts. You can define a trusted host using an IPv4 or IPv6 address or a fully qualified domain name (FQDN).

To define trusted hosts:
  1. Go to Administration > Administrators.
  2. Create a new administrator or modify an existing administrator.
  3. Enable Restrict Login to Trusted Hosts.

  4. In the Trusted Hosts field, enter an IPv4 or IPv6 address or an FQDN. If desired, you can enter multiple hosts using the + button. The trusted host details appear on the administrator page.

Administrator settings improvements

EMS 6.2.0 introduces five major improvements to administrator settings:

Support for three types of administrators

Administrators can be one of three types of users:

User type

Description

EMS

Created in EMS. This includes the built-in "admin" user.

Windows

Created by the local Windows system.

LDAP

Imported from the domain server.

To create an EMS administrator:
  1. Go to Administration > Administrators. Click Add.
  2. Under User Source, select Create a new user. Click Next.
  3. In the Username field, enter the desired username.
  4. From the Role dropdown list, select the desired role. Click Next.

  5. On the Password tab, create a password for the user. Click Save. Once you save the user, you can view the created user on the Administration > Administrators pane. The Source is listed as EMS.

Support for multiple LDAP servers

You can configure multiple LDAP servers on EMS to import users from.

To configure an LDAP server:
  1. Go to Administration > User Servers. Click Add.
  2. Enter the domain credentials. Click Test. Once the test is successful, click Save.

    In this example, after EMS imports the LDAP server successfully, the Administration > User Servers pane lists two imported LDAP servers.

Permission management based on administrator roles

You can use administrator roles to manage permissions. There are four predefined roles configured with different permissions:

Name

Description

Super administrator

Most privileged admin role. Complete access to all EMS permissions, including modification, user permissions, approval, discovery, and deployment. Only built-in role that has access to the Administration section of the GUI. Has access to all configured Windows and LDAP servers and users and has the authority to configure user privileges and permissions.

The default admin account is configured as a Super Administrator and cannot be changed to another admin role.

Standard administrator

Includes all endpoint and policy permissions, and read-only permissions to settings permissions.

Endpoint administrator

Includes all endpoint permissions and read-only permissions to policy and settings permissions.

Restricted administrator

No permissions enabled.

You can also define a new role with customized permissions.

To define a custom admin role:
  1. Go to Administration > Admin Roles. Click Add.
  2. In the Name field, enter the desired name.
  3. Select the desired permission checkboxes.
  4. Click Save. The role appears on the Administration > Admin Roles pane.

Categorized and refined administrator permissions

When creating or modifying an admin role, all available permissions are categorized into endpoint, policy, and setting permissions. Permissions for new features include permissions related to endpoint policies, host verification, quarantine management, and software inventory.

You can click Click here to hide permissions that are not applicable to Chromebook management to view permissions that only apply to Windows, macOS, and Linux endpoint management.

Restricting login to trusted hosts

With the Trusted Hosts feature, you can allow remote access to EMS only on defined trusted hosts. You can define a trusted host using an IPv4 or IPv6 address or a fully qualified domain name (FQDN).

To define trusted hosts:
  1. Go to Administration > Administrators.
  2. Create a new administrator or modify an existing administrator.
  3. Enable Restrict Login to Trusted Hosts.

  4. In the Trusted Hosts field, enter an IPv4 or IPv6 address or an FQDN. If desired, you can enter multiple hosts using the + button. The trusted host details appear on the administrator page.