Administration Guide

What's new in FortiPAM
- FortiPAM 1.3.0
Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
- License expiry and renewal
- Renewing FortiPAM-VM license
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
  - FortiGuard Distribution Network
- VM license
Secrets
- Secret list
- Target list
  - Creating a target
  - Web proxy
- Gateway
- Personal/public folder
  - Creating a folder
- My requests list
  - Make a request
- Approval list
  - Approving a request
  - Reviewing multiple requests
- Job list
  - Creating a job
- Discovery
  - Creating discovery entry
Secret settings
- Classification tags
  - Creating a classification tag
- Templates
  - Creating secret templates
- Launchers
  - Creating a launcher
    - Example secret configurations with launchers example
- Policies
  - Creating a policy
    - Applying a policy to a folder
- Addresses
  - Creating an address
  - Creating an address group
- Dependency updater
  - Creating a dependency updater
  - Updating a service account credential Example
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
- Approval email template
  - Creating an approval email template
  - Creating an approval email template using the CLI
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Character sets
  - Creating a character set
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
- DLP file pattern
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Event filter profile
  - Creating an event filter profile
- Integrity check
  - Creating a client software entry for integrity check
User management
- User list
  - Creating a user
  - Importing LDAP users
- User groups
  - Auto provision rules
- Sponsored groups
- Role
  - Access control options
  - Log permissions
- LDAP servers
- SAML Single Sign-On (SSO)
- Auto provision rules
  - Creating an auto provision rule
  - Setting up remote user auto provisioning using the CLI
- RADIUS servers
- Schedule
- FortiTokens
Monitoring
- User monitor
- Active sessions
  - Over-the-shoulder monitoring (Live recording)
Log & report
- Secret
- Events
- ZTNA
- SSH
- Antivirus
- Date leak prevention
- Reports
  - General
    - Reports
    - Layout & schedule
  - Secret audit
- Log settings
  - Configuring log and video disk encryption
- Email alert settings
  - Email alert when the glass breaking mode is activated example
- Debug settings
- Automation trigger settings
Network
- Interfaces
  - Creating an interface
  - Creating a zone
- Static routes
  - Creating an IPv4 static route
- DNS settings
- Security fabric
  - Fabric Connectors
    - FortiAnalyzer logging
- Packet capture
  - Creating a packet capture filter
System
- Settings
  - Testing the email service connection example
  - How FortiPAM chooses the sender email address
- ZTNA
- High availability
- Certificates
- Replacement messages
  - Replacement messages descriptions
  - Editing a replacement message
    - Managing images
      - Adding an image
- SNMP
- Backup
  - Sending backup file to a server Example
- Firmware
- FortiPAM license
  - Stackable seat license for hardware models
- FortiGuard license
- Disclaimers via the CLI
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
- Issue: WebRDP session recording fails and closes active session
- Troubleshooting log and video disk encryption issues
Hardening
- Secure password storage
- Verify the private-data-encryption feature Example
- How to restore a backup configuration file with private-data-encryption enabled Example
- Enabling private-data-encryption on an HA cluster Example
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Appendix F: Installation on Hyper-V
Appendix G: Installation on Azure
Appendix H: FortiPAM hardware RAID CLI commands
Appendix I: Default launchers parameters
Appendix J: Installation on AWS
Appendix K: Installation on GCP
Appendix L: WinRM configuration for Windows server
Appendix M: FortiPAM browser extension and standalone FortiClient air-gapped installation
Appendix N: Performance test results
Change Log

Home FortiPAM 1.3.0 Administration Guide

1.3.0

User groups

User Groups in User Management displays a list of user groups.

The following two default user groups are available:

everyone: By default, every user belongs to this user group.
fortipam_auth_group: By default, the Super Administrator admin user belongs to this user group. Users can be added or removed from this user group.

Users can be assigned to groups during user account configuration, or by creating or editing the groups to add users to it.

The User Groups tab contains the following options:

Create	Select to create a new user group.
Edit	Select to edit the selected user group.
Delete	Select to delete the selected user groups.
Search	Enter a search term in the search field, then hit `Enter` to search the user groups list. To narrow down your search, see Column filter.

To create a new user group:

Go to User Management > User Groups.
Select Create to create a new user group.
The General tab in the Create New User Group window opens.
To switch to the Permission tab, select the tab.

In the General tab, enter the following information:

Name

Name of the group.

Type

Select the type of the group:

Remote
Local User

Members

Select + to add existing members to the user group from the list and select Close, or in the Select Entries window, select + to create a new user.

See Creating a user.

Use the search bar to look for a user.

Remote Groups

By adding a remote server to the user group, the group will contain all user accounts on that server.

Optionally, a specific user group on the remote server can be included to restrict the scope to that group.

See Creating Remote Groups.

Note: This pane is available only when the Type is Remote.

Select remote groups from the list and select Delete to delete the remote groups.

Select a remote group from the list and select Edit to edit the remote group.

Switch to the Permission tab and enter the following information:

Access

Select from the following two options:

Everyone: All the members of the user group have complete access to the user group.
Customized: Customize the level of access for members in the user group.

User Permission

The level of user access to the user group. See User Permission.

Note: The option is only available when Access is set to Customized.

Click OK.

To create a new remote group:

In the Create New User Group window, select Create in Remote Groups.
The Remote Groups pane is only available when the Type is Remote.
The Add Group Match window opens.

In Remote Server dropdown, select LDAP, RADIUS, and SAML servers:

If an LDAP server is selected, from the remote users list, select the remote users to import.

At least one LDAP server must be already configured. See LDAP servers.

Hold ctrl and click to select multiple users.

To narrow down your search, see Column filter.

You can filter your search by Group, or enter a custom filter and select Apply.

Enable Show entries in subtree to list remote users in the subtree.

LDAP filters consist of one or more clauses which can be combined with logical AND/OR operators.

Filter syntax differs depending on the LDAP server software.

See the following examples examples:

Users with given name starting with the letter "h":
(&(objectClass=person)(givenName=h*))
All groups:
(&(objectClass=posixGroup)(cn=*))

Optionally, if a RADIUS server is selected, select +, and enter group names in Groups.
At least one RADIUS server must be already configured. See RADIUS servers.
Optionally, if a SAML server is selected, select +, and enter group names in Groups.
At least one SAML server must be already configured.

Click OK to save changes to group match.

Alternatively, use the CLI commands to create a user group.

User Permission

To set up user permission:

In step 5 when Creating a user group, provided that Access is set to Customized, select Create in User Permission.
The New User Permission window opens.

Enter the following information:

Users

Select + and from the list, select users in the Select Entries window.

To add a new user:

From the Select Entries window, select + and then select +UserList.
The New User List wizard open.
Follow the steps in Creating a user, starting step 2 to create a new user.

Use the search bar to look up a user.

Use the pen icon next to a user to edit it.

Permission

From the dropdown, select an option:

Viewer: Ability to view the user group.
Owner: The highest possible permission level with the ability to create, edit, and delete user groups.

Click OK.

CLI configuration to set up an LDAP user group example:

 config user group
  edit <ldap_group_name>
   set member <ldap_server_name>
   config match		
    edit 1
     set server-name <ldap_server_name>
     set group-name "cn=User,dc=XYA, dc=COM"			 
    next
   end
  next
 end

CLI configuration to set up a RADIUS user group example:

 config user group
  edit <radius_group_name>
   set member <radius_server_name>
  next
 end