Adding a multitenancy administrator
To add a multitenancy administrator:
- From the global site, go to Administration > Administrators.
- Click Add.
- Configure the administrator as Configuring user accounts describes. When adding a new administrator from the global site, you can create a local administrator or configure a Windows or LDAP user. When adding a new administrator from the site level, you can only configure an LDAP user. Administrator names from the same source (EMS, LDAP, or Windows) must be unique across all sites. Administrators can have the same name if they are from different sources. When configuring the administrator role, select from one of the following. The following administrator roles are specific to global administrator mangement when multitenancy is enabled:
Full access to the global site and all other sites. Can access all configuration options on all sites, including the global site. The built-in admin account is a super administrator and cannot be configured as another administrator role.
Access to the global site only. Can access all configuration options on the global site, except for administrator configuration.
Access to specified sites only, with no access to the global site. A site administrator can have access to multiple sites. By default, a site administrator is a super administrator for all sites that they have access to. A site administrator can configure the site license and system settings, including server, FortiGuard, login banner, alerts, and SMTP server settings. You can modify the site administrator's available configuration options for a site by assigning them a different admin role for that site after you log in to the site. See Admin roles.
- Click Finish. The new administrator appears on the Administrators page.
The following example shows a site administrator, AlecB. The Global Administration > Administrators page shows that AlecB has access to two sites, SiteA and SiteB.
The SiteA Administration > Administrators page shows that AlecB is a super administrator for this site. This means that AlecB has complete access to all EMS permissions within SiteA, as described in Admin roles.
The SiteB Administration > Administrators page shows that AlecB is a read-only administrator for this site. This means that AlecB has only read-only access to endpoint, policy, and settings permissions within SiteB, as described in Admin roles.
If you had configured a SAML SSO administrator prior to enabling multitenancy, enabling multitenancy causes this administrator to become a global superadministrator. You can configure a different role for this administrator. You can only have one SAML SSO administrator for the entire EMS server.