FortiCloud Roles
FortiCloud supports the following roles:
-
Non-OU Account: A FortiCloud account not part of an organization.
-
Root Account: Can create or invite member accounts and appoint OU admins. There is no option to choose an OU or member account when logging in.
-
Member Account:Join an organization and cannot have IAM users or permission profiles of the OU type, so they cannot manage OUs or other member accounts.
-
OU Admin: An IAM user with the Organization type that manages specific OUs or member accounts within those OUs.
IAM User permission types
Permission scope is assigned when creating a permission profile or an IAM user. It defines the scope of access a user has in terms of asset folders or OU hierarchy.
-
Local: Default type, limited to the selected account's asset folders.
-
Organization: Advanced settings for assigning IAM users, user groups, and permissions to OUs and member accounts. Only IAM users with this type can be assigned as an OU admin.
|
Assigning IAM users with a local type to an organization on the GSLB organization page will no longer be effective if the organization is associated with a member or root account. IAM users from the member or root account will always be able to manage resources under the account, provided their permission profile allows it. |
Permission scope can be defined as Local or Organization using the Choose A Type feature. The Local type is automatically assigned to all permission profiles when OU access is not enabled. However, if a login user does have OU access enabled, the scope can be set to either the Local or Organization type. Once selected, permission scope can then be based on hierarchical OU (Organization type) or asset folder (Local type) paths in the Organization portal and Asset Management portal, respectively.
For full details on permission scope, please see Permission scope with Organizations.
For steps on how to create an IAM user, please see FortiCloud IAM Users.