NSE4 Question #395: Real Exam Question with Answer & Explanation

Question

You have created a new administrator account, and assign it the prof_admin profile. Which is false about that account's permissions?

Options

• AIt cannot upgrade or downgrade firmware.
• BIt can create and assign administrator accounts to parts of its own VDOM.
• CIt can reset forgotten passwords for other administrator accounts such as "admin".
• DIt has a smaller permissions scope than accounts with the "super_admin" profile.

Explanation

The prof_admin account, a VDOM-scoped administrative profile, lacks the necessary global privileges to reset passwords for other administrator accounts, especially those with super_admin rights.

Common mistakes.

• A. It is true that a prof_admin account cannot upgrade or downgrade firmware, as these are global system-level operations typically reserved for super_admin profiles.
• B. A prof_admin account is typically able to create and manage administrator accounts within the VDOMs it has been assigned access to.
• D. The prof_admin profile is designed with a VDOM-specific scope, which is inherently smaller and more restricted than the device-wide, comprehensive permissions of a super_admin profile.

Concept tested. FortiGate administrator profiles and permissions

Reference. https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/597341/default-admin-profiles

No community discussion yet for this question.