Wildcard admin user is supported in the per-ADOM admin profile 7.2.2
Wildcard admin users now support per-ADOM admin profiles with a profile override option. For more information about the per-ADOM admin profile feature, see Per-ADOM admin profile 7.2.1
Additionally, there is a profile override option to use the ADOMs and admin profiles configured on the remote authentication server, if needed.
To configure a wildcard user with the per-ADOM admin profile feature:
- Go to System Settings > Admin > Administrators, and click Create New.
You can also edit an existing user to configure per-ADOM access.
- Select the Admin Type, authentication server, and enable Match all users on remote server to create a wildcard user.
- For Administrative Domain, specify the ADOMs the users will be able to access.
- For Admin Profile, select Per-ADOM.
- Using the Profile dropdowns, select an admin profile for each ADOM.
The profile determines the administrator's access to the FortiManager features when they are in that ADOM.
In the example pictured below, a TACACS+ wildcard user is configured. However, the same steps can be used to configure another style of wildcard user.
For this example, users logging in as a TACACS+ user will have profile1 access in adom1 and profile2 access in adom2. While profile1 is configured with read-write access across all FortiManager's features, profile2 is limited to Device Manager and Policy & Objects.
To use the override feature for wildcard users with per-ADOM profiles:
- Configure per-ADOM access on the remote authentication server.
In this example, the user is configured on the TACACS+ server with profile1 access in adom1 and profile2 access in adom2. Same as above, profile1 is configured with read-write access across all FortiManager's features, and profile2 is limited to Device Manager and Policy & Objects.
- Configure the wildcard user.
In this example, the wildcard user has a per-ADOM configuration with Restricted_User access in adom1 and Standard_User access in adom2. See image below.
- In the Advanced Options for the wildcard user, enable ext-auth-adom-override.
Because the ext-auth-adom-override feature is enabled, users logging in as a TACACS+ user will have the per-ADOM access configured on the TACACS+ server. Instead of Restricted_User access in adom1, they will have profile1 access in adom1.
Instead of Standard_User access in adom2, they will have profile2 access in adom2.