On FortiWeb, user accounts do not log in to the administrative web UI.
Instead, they are used to add HTTP-based authentication and authorize each request from clients that are connecting through FortiWeb to your protected web servers.
Best practices dictate that each person accessing your websites should have his or her own account so that security audits can reliably associate a login event with a specific person. Accounts should be restricted to URLs for which they are authorized. Authorization may be derived from a person’s role in the organization.
For example, a CFO would reasonably have access to all financial data, but a manufacturing technician usually should not. Such segregation of duties in financial regulation schemes often translates to role-based access control (RBAC) in information systems, which you can implement through FortiWeb’s HTTP authentication and authorization rules.
For details, see Offloading HTTP authentication & authorization.
|User authentication is not supported in all operation modes. For details, see Supported features in each operation mode.