Global policy packages are managed centrally within the global ADOM by a superadmin or an administrator with appropriate permissions, such as a service provider administrator. When a global policy package is assigned to a customer ADOM, its header and footer policies are inherited and are strictly read-only for administrators confined to that customer ADOM. This hierarchical design ensures consistent, top-down policy enforcement across multiple ADOMs, preventing local administrators from overriding or altering the centrally mandated security rules. The customer administrator can only create and manage policies between the global header and footer policies.

A. The customer administrator is explicitly restricted to MyADOM and does not have the necessary permissions or access to log in to or operate within the global ADOM.

B. Workflow mode facilitates a change management process but does not override fundamental ADOM access permissions. The customer administrator still cannot access the global ADOM to initiate any changes.

C. There is no feature in FortiManager that allows a service provider administrator to "unlock" a global policy for editing by a local ADOM administrator. Global policies are exclusively managed from the global ADOM.

1. Fortinet FortiManager Administration Guide 7.2.0

Page 518

Section: "Global policy packages".

The guide states: "When a global policy package is assigned to an ADOM

the policies in the global policy package are inherited by the ADOM. The policies are read-only in the ADOM." This directly confirms that the customer administrator cannot edit the inherited global policies.

2. Fortinet FortiManager Administration Guide 7.4.1

Page 581

Section: "Global policy packages".

This section details the structure: "The global policy package contains two sections: Header policies and Footer policies. Header policies are inserted before the ADOM policies

and Footer policies are inserted after the ADOM policies." This illustrates the hierarchy where the ADOM administrator works between the unchangeable global policies.

3. Fortinet FortiManager Administration Guide 7.4.1

Page 101

Section: "Administrative Domains (ADOMs)".

The documentation explains the purpose of ADOMs: "ADOMs enable the superadmin to create groupings of devices for administrators to monitor and manage." This reinforces the principle of administrative segregation

where a customer administrator's scope is intentionally limited to their assigned ADOM.