Fortinet white logo
Fortinet white logo

REST API Solution Guide

Authorization and Permissions

Authorization and Permissions

In most cases, once a user is authenticated by a method such as OAuth or Basic Authentication, the api will check if the user is authorized to use that endpoint based on the permissions they have been assigned by higher level administrators.

Permissions are contained within built-in admin profiles which are configured in System > Administration > Admin Profiles. Generally, for example, if an admin has the 'Can view local users' permission, they will be able to successfully perform a GET request to the '/localusers' endpoint. Similarly, if they do NOT have 'Can change local users' permission, any of their POST requests to the '/localusers' endpoint should fail. These profiles can be assigned to an admin by selecting an admin under Authentication > User Management > Local / Remote Users, and adding an admin profile, which contains the correct permission, to their list of applicable admin profiles.

If you want to give an admin only the permissions required to use an endpoint, without giving them the many permissions that go along with a built-in permission set, you can make a custom permission set with only the permissions required. This can be done by navigating to System > Administration > Admin Profiles, creating a custom permission set with permissions of your choice, and then applying that admin profile to your admin user.

For a summary of the authentication methods, permission sets, and permissions that each endpoint requires, see the Authorization and Permissions Table below.

Resource Name Base URL Authentication Method Applicable Built-in Permission Set Required Permission code
auth https://[server_name]/api/v1/auth/ Webservice Basic Authentication Webservice Authentication Can use API to authenticate
fabric https://[server_name]/api/v1/fabric/ OAuth Bearer Token Authentication Widgets Can read and access Fabric widgets
fabric (no version) https://[server_name]/api/fabric None Webservice Authentication Can authenticate FAC as fabric device
fgtgroupfilter https://[server_name]/api/v1/fgtgroupfilter/ Webservice Basic Authentication SSO Settings Can view / change FortiGate filter
fortiguardmessages https://[server_name]/api/v1/fortiguardmessages/ Webservice Basic Authentication System Administration Can view / change FortiGuard settings
fortitokenmobilelicenses https://[server_name]/api/v1/fortitokenmobilelicenses/ Webservice Basic Authentication Users and Devices Can view / change FortiToken
fortitokenmobileprovisioning https://[server_name]/api/v1/fortitokenmobileprovisioning/ Webservice Basic Authentication System Administration Can view / change FortiGuard settings
fortitokens https://[server_name]/api/v1/fortitokens/ Webservice Basic Authentication Users and Devices Can view / change FortiToken
ftpservers https://[server_name]/api/v1/ftpservers/ Webservice Basic Authentication Maintenance Can view / change FTP server
ldapusers https://[server_name]/api/v1/ldapusers/ Webservice Basic Authentication Users and Devices Can view / change remote LDAP user
licensing https://[server_name]/api/v1/licensing/ Webservice Basic Authentication System Administration Can import a new FAC license
localapiadmin https://[server_name]/api/v1/localapiadmin/ Webservice Basic Authentication Administrators Can view / change group
localgroup-memberships https://[server_name]/api/v1/localgroup-memberships/ Webservice Basic Authentication Users and Devices Can view / change user group
localusers https://[server_name]/api/v1/localusers/ Webservice Basic Authentication Users and Devices Can view / change local user
logsettings https://[server_name]/api/v1/logsettings/ Webservice Basic Authentication Logs Can view / change log settings
oauth https://[server_name]/api/v1/oauth/ None None None
passwordpolicies https://[server_name]/api/v1/passwordpolicies/ Webservice Basic Authentication Account Policy Can view / change Password policy
pushauth https://[server_name]/api/v1/pushauth/ Webservice Basic Authentication None None
pushauthresp https://[server_name]/api/v1/pushauthresp/ None None None
pushpoll https://[server_name]/api/v1/pushpoll/ None None None
radiususers https://[server_name]/api/v1/radiususers/ Webservice Basic Authentication Users and Devices Can view / change remote RADIUS user
realmauth https://[server_name]/api/v1/realmauth/ Webservice Basic Authentication Webservice Authentication Can use API to authenticate
scepreqs https://[server_name]/api/v1/scepreqs/ Webservice Basic Authentication Certificate Management Can view / change certificate enrollment request

recovery

https://[server_name]/api/v1/recovery/

Webservice Basic Authentication

Maintenance

Can perform configuration backup

scheduledbackupsettings https://[server_name]/api/v1/scheduledbackupsettings/ Webservice Basic Authentication Maintenance Can change scheduled configuration backup settings
smtpservers https://[server_name]/api/v1/smtpservers/ Webservice Basic Authentication Messaging Configuration Can view / change SMTP server
ssoauth https://[server_name]/api/v1/ssoauth/ Webservice Basic Authentication Webservice Authentication Can use API to authenticate
ssogroup https://[server_name]/api/v1/ssogroup/ Webservice Basic Authentication SSO Settings Can view / change SSO group
syslogservers https://[server_name]/api/v1/syslogservers/ Webservice Basic Authentication SSO Settings Can view / change syslog source
system https://[server_name]/api/v1/system/ Webservice Basic Authentication System Administration Can change system access settings
systeminfo https://[server_name]/api/v1/systeminfo/ Webservice Basic Authentication Maintenance Can view / change HA setting

radiusclients

https://[server_name]/api/v1/radiusclients/

Webservice Basic Authentication

RADIUS Service

Can view / change RADIUS Clients

radiuspolicies

https://[server_name]/api/v1/radiuspolicies/

Webservice Basic Authentication

RADIUS Service

Can view RADIUS Policies

radiuspolicyclient

https://[server_name]/api/v1/radiuspolicyclient/

Webservice Basic Authentication

RADIUS Service

Can view / change RADIUS Policies/ Clients

tacplusclients

https://[server_name]/api/v1/tacplusclients/

Webservice Basic Authentication

TACACS+ Service

Can view / change TACACS+ Clients

tacpluspolicies

https://[server_name]/api/v1/tacpluspolicies/

Webservice Basic Authentication

TACACS+ Service

Can view TACACS+ Policies

tacpluspolicyclient

https://[server_name]/api/v1/tacpluspolicyclient/

Webservice Basic Authentication

TACACS+ Service

Can view / change TACACS+ Policies/Clients

transfertoken https://[server_name]/api/v1/transfertoken/ None None None
usercerts https://[server_name]/api/v1/usercerts/ Webservice Basic Authentication Certificate Management Can view / change user certificate
userfortitokenpolicy https://[server_name]/api/v1/userfortitokenpolicy/ Webservice Basic Authentication Webservice Authentication Can use API to authenticate
userlockoutpolicy https://[server_name]/api/v1/userlockoutpolicy/ Webservice Basic Authentication Account Policy Can view / change user lockout policy settings

Authorization and Permissions

Authorization and Permissions

In most cases, once a user is authenticated by a method such as OAuth or Basic Authentication, the api will check if the user is authorized to use that endpoint based on the permissions they have been assigned by higher level administrators.

Permissions are contained within built-in admin profiles which are configured in System > Administration > Admin Profiles. Generally, for example, if an admin has the 'Can view local users' permission, they will be able to successfully perform a GET request to the '/localusers' endpoint. Similarly, if they do NOT have 'Can change local users' permission, any of their POST requests to the '/localusers' endpoint should fail. These profiles can be assigned to an admin by selecting an admin under Authentication > User Management > Local / Remote Users, and adding an admin profile, which contains the correct permission, to their list of applicable admin profiles.

If you want to give an admin only the permissions required to use an endpoint, without giving them the many permissions that go along with a built-in permission set, you can make a custom permission set with only the permissions required. This can be done by navigating to System > Administration > Admin Profiles, creating a custom permission set with permissions of your choice, and then applying that admin profile to your admin user.

For a summary of the authentication methods, permission sets, and permissions that each endpoint requires, see the Authorization and Permissions Table below.

Resource Name Base URL Authentication Method Applicable Built-in Permission Set Required Permission code
auth https://[server_name]/api/v1/auth/ Webservice Basic Authentication Webservice Authentication Can use API to authenticate
fabric https://[server_name]/api/v1/fabric/ OAuth Bearer Token Authentication Widgets Can read and access Fabric widgets
fabric (no version) https://[server_name]/api/fabric None Webservice Authentication Can authenticate FAC as fabric device
fgtgroupfilter https://[server_name]/api/v1/fgtgroupfilter/ Webservice Basic Authentication SSO Settings Can view / change FortiGate filter
fortiguardmessages https://[server_name]/api/v1/fortiguardmessages/ Webservice Basic Authentication System Administration Can view / change FortiGuard settings
fortitokenmobilelicenses https://[server_name]/api/v1/fortitokenmobilelicenses/ Webservice Basic Authentication Users and Devices Can view / change FortiToken
fortitokenmobileprovisioning https://[server_name]/api/v1/fortitokenmobileprovisioning/ Webservice Basic Authentication System Administration Can view / change FortiGuard settings
fortitokens https://[server_name]/api/v1/fortitokens/ Webservice Basic Authentication Users and Devices Can view / change FortiToken
ftpservers https://[server_name]/api/v1/ftpservers/ Webservice Basic Authentication Maintenance Can view / change FTP server
ldapusers https://[server_name]/api/v1/ldapusers/ Webservice Basic Authentication Users and Devices Can view / change remote LDAP user
licensing https://[server_name]/api/v1/licensing/ Webservice Basic Authentication System Administration Can import a new FAC license
localapiadmin https://[server_name]/api/v1/localapiadmin/ Webservice Basic Authentication Administrators Can view / change group
localgroup-memberships https://[server_name]/api/v1/localgroup-memberships/ Webservice Basic Authentication Users and Devices Can view / change user group
localusers https://[server_name]/api/v1/localusers/ Webservice Basic Authentication Users and Devices Can view / change local user
logsettings https://[server_name]/api/v1/logsettings/ Webservice Basic Authentication Logs Can view / change log settings
oauth https://[server_name]/api/v1/oauth/ None None None
passwordpolicies https://[server_name]/api/v1/passwordpolicies/ Webservice Basic Authentication Account Policy Can view / change Password policy
pushauth https://[server_name]/api/v1/pushauth/ Webservice Basic Authentication None None
pushauthresp https://[server_name]/api/v1/pushauthresp/ None None None
pushpoll https://[server_name]/api/v1/pushpoll/ None None None
radiususers https://[server_name]/api/v1/radiususers/ Webservice Basic Authentication Users and Devices Can view / change remote RADIUS user
realmauth https://[server_name]/api/v1/realmauth/ Webservice Basic Authentication Webservice Authentication Can use API to authenticate
scepreqs https://[server_name]/api/v1/scepreqs/ Webservice Basic Authentication Certificate Management Can view / change certificate enrollment request

recovery

https://[server_name]/api/v1/recovery/

Webservice Basic Authentication

Maintenance

Can perform configuration backup

scheduledbackupsettings https://[server_name]/api/v1/scheduledbackupsettings/ Webservice Basic Authentication Maintenance Can change scheduled configuration backup settings
smtpservers https://[server_name]/api/v1/smtpservers/ Webservice Basic Authentication Messaging Configuration Can view / change SMTP server
ssoauth https://[server_name]/api/v1/ssoauth/ Webservice Basic Authentication Webservice Authentication Can use API to authenticate
ssogroup https://[server_name]/api/v1/ssogroup/ Webservice Basic Authentication SSO Settings Can view / change SSO group
syslogservers https://[server_name]/api/v1/syslogservers/ Webservice Basic Authentication SSO Settings Can view / change syslog source
system https://[server_name]/api/v1/system/ Webservice Basic Authentication System Administration Can change system access settings
systeminfo https://[server_name]/api/v1/systeminfo/ Webservice Basic Authentication Maintenance Can view / change HA setting

radiusclients

https://[server_name]/api/v1/radiusclients/

Webservice Basic Authentication

RADIUS Service

Can view / change RADIUS Clients

radiuspolicies

https://[server_name]/api/v1/radiuspolicies/

Webservice Basic Authentication

RADIUS Service

Can view RADIUS Policies

radiuspolicyclient

https://[server_name]/api/v1/radiuspolicyclient/

Webservice Basic Authentication

RADIUS Service

Can view / change RADIUS Policies/ Clients

tacplusclients

https://[server_name]/api/v1/tacplusclients/

Webservice Basic Authentication

TACACS+ Service

Can view / change TACACS+ Clients

tacpluspolicies

https://[server_name]/api/v1/tacpluspolicies/

Webservice Basic Authentication

TACACS+ Service

Can view TACACS+ Policies

tacpluspolicyclient

https://[server_name]/api/v1/tacpluspolicyclient/

Webservice Basic Authentication

TACACS+ Service

Can view / change TACACS+ Policies/Clients

transfertoken https://[server_name]/api/v1/transfertoken/ None None None
usercerts https://[server_name]/api/v1/usercerts/ Webservice Basic Authentication Certificate Management Can view / change user certificate
userfortitokenpolicy https://[server_name]/api/v1/userfortitokenpolicy/ Webservice Basic Authentication Webservice Authentication Can use API to authenticate
userlockoutpolicy https://[server_name]/api/v1/userlockoutpolicy/ Webservice Basic Authentication Account Policy Can view / change user lockout policy settings