Fortinet black logo

Handbook

Create REST API administrator users

Create REST API administrator users

A REST API administrator is required to generate an authorization token prior to sending requests for supported FortiADC REST APIs. You can create a REST API administrator account through the GUI and an authorization token, the API key, will be automatically generated and assigned to the user.

Although users can use an API request to create a REST API administrator account, the resulting token would not be properly assigned to the user. Without an assigned user this authorization token would be invalid and would not be able to access the supported FortiADC REST APIs.

Before you begin:
  • You must have Read-Write permission for System settings.
To create a REST API administrator in the GUI:
  1. Go to System > Administrator.
  2. Select the Admin tab.
  3. Click Create New > REST API Admin to display the configuration editor.
  4. Configure the following settings:

    Setting

    Description

    Name

    Enter the login name of the REST API administrator account.

    The maximum length is 35 characters. Do not use spaces or special characters except the ‘at’ symbol ( @ ). Using special characters like <, >, (, ), #, ", or ' in the administrator account name can result in a cross-site scripting (XSS) vulnerability.

    After you initially save the configuration, you cannot edit the name.

    CommentsOptionally, enter comments about the administrator account.
    Global Admin

    Select either of the following global admin access options:

    • No — The account can access the virtual domain specified in this configuration only. This is the default option.

    • Yes — The account can access all virtual domains.

    Administrator profile

    The Administrator profile option appears if Global Admin is No.

    Select a user-defined or predefined profile to use for the new administrator.

    The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

    Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.

    CORS Allow Origin ToggleEnable/disable for Cross-Origin Resource Sharing (CORS) for browsers.
    CORS Allow Origin

    The CORS Allow Origin option appears if CORS Allow Origin Toggle is enabled.

    Specify the URL that can access the REST API.

    Restricted to trusted hosts

    Enable/disable to use Trusted Hosts to allow specific IP addresses to log in to the REST API.

    Trusted Hosts

    The Trusted Hosts option appears if Restricted to trusted hosts is enabled.

    Specify the trusted host IP address and and netmask allowed to log in to the REST API. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

  5. Click Save.
    The New API Key pane opens.

    The API key is the REST API authorization token that is used in REST API calls.
  6. Copy the API key to a secure location.
    This API key will not be displayed anywhere else after you close the pane. If this one is lost or compromised, you can regenerate a new key by editing the REST API Admin user. Once regenerated, the previous token will no longer be valid.
  7. Click OK.

Create REST API administrator users

A REST API administrator is required to generate an authorization token prior to sending requests for supported FortiADC REST APIs. You can create a REST API administrator account through the GUI and an authorization token, the API key, will be automatically generated and assigned to the user.

Although users can use an API request to create a REST API administrator account, the resulting token would not be properly assigned to the user. Without an assigned user this authorization token would be invalid and would not be able to access the supported FortiADC REST APIs.

Before you begin:
  • You must have Read-Write permission for System settings.
To create a REST API administrator in the GUI:
  1. Go to System > Administrator.
  2. Select the Admin tab.
  3. Click Create New > REST API Admin to display the configuration editor.
  4. Configure the following settings:

    Setting

    Description

    Name

    Enter the login name of the REST API administrator account.

    The maximum length is 35 characters. Do not use spaces or special characters except the ‘at’ symbol ( @ ). Using special characters like <, >, (, ), #, ", or ' in the administrator account name can result in a cross-site scripting (XSS) vulnerability.

    After you initially save the configuration, you cannot edit the name.

    CommentsOptionally, enter comments about the administrator account.
    Global Admin

    Select either of the following global admin access options:

    • No — The account can access the virtual domain specified in this configuration only. This is the default option.

    • Yes — The account can access all virtual domains.

    Administrator profile

    The Administrator profile option appears if Global Admin is No.

    Select a user-defined or predefined profile to use for the new administrator.

    The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

    Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.

    CORS Allow Origin ToggleEnable/disable for Cross-Origin Resource Sharing (CORS) for browsers.
    CORS Allow Origin

    The CORS Allow Origin option appears if CORS Allow Origin Toggle is enabled.

    Specify the URL that can access the REST API.

    Restricted to trusted hosts

    Enable/disable to use Trusted Hosts to allow specific IP addresses to log in to the REST API.

    Trusted Hosts

    The Trusted Hosts option appears if Restricted to trusted hosts is enabled.

    Specify the trusted host IP address and and netmask allowed to log in to the REST API. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

  5. Click Save.
    The New API Key pane opens.

    The API key is the REST API authorization token that is used in REST API calls.
  6. Copy the API key to a secure location.
    This API key will not be displayed anywhere else after you close the pane. If this one is lost or compromised, you can regenerate a new key by editing the REST API Admin user. Once regenerated, the previous token will no longer be valid.
  7. Click OK.