This topic includes the following information:
- Administrator user overview
- REST API administrator user overview
- Create administrator users
- Create REST API administrator users
- Configure access profiles
- Enable password policies
In its factory default configuration, FortiADC has one administrator account named admin. The user of this account has permissions that grant read-write access to all system functions.
Unlike other administrator accounts, this default admin cannot be deleted. The admin account is similar to a root administrator account. This account always has full permission to view and change all system configuration options, including viewing and changing all other administrator accounts. You cannot alter the name and permissions of this default admin account.
To prevent accidental changes to the configuration, it is best that only network administrators, and if possible, only a single person, use the admin account.
You can use the admin account to configure more administrator accounts for other users. Accounts can be created with different levels of access. If you require such role-based access control (RBAC) restrictions, or if you simply want to harden security or prevent inadvertent changes to other administrators’ areas, you can do so using access profiles. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.
- Create administrator user accounts with permissions provisioned by the profiles.
- Configure access profiles to provision permissions to roles.
- Enable password policies.
As a REST API administrator user, you can generate a generalized authorization token to access the supported FortiADC REST APIs of other systems, such as the FNDN.
REST API administrator user accounts share much of the same features of normal administrator accounts; the primary difference is that REST API administrators cannot login through the GUI or CLI and must use their assigned API token to interact with FortiADC. REST API administrators can be created via GUI where they will automatically be assigned an API token. Users can generate access tokens that do not timeout or expire once they are assigned to the REST API administrator. These access tokens cannot be deleted, but can be regenerated. Once regenerated, the previous token will no longer be valid. When a REST API administrator is deleted, any existing associated tokens will be revoked.
REST API administrators can send requests to FortiADC with their API token as a header field.
An example is shown below:
curl 'https://XX.XX.XX.XX/api/XXXX/' -H 'APITOKEN: ede4b6632a464a469b85abedd7b5cc91'
- Create REST API administrator user accounts with permissions provisioned by the profiles.
- Save the automatically generated API Key for use later. This is your API authorization token and is only shown once after being generated, so ensure the API key is saved to a secure location.
- Use the API key to access REST API resources.