Authorization and Permissions
In most cases, once a user is authenticated by a method such as OAuth or Basic Authentication, the api will check if the user is authorized to use that endpoint based on the permissions they have been assigned by higher level administrators.
Permissions are contained within built-in admin profiles which are configured in System > Administration > Admin Profiles. Generally, for example, if an admin has the 'Can view local users' permission, they will be able to successfully perform a GET request to the '/localusers' endpoint. Similarly, if they do NOT have 'Can change local users' permission, any of their POST requests to the '/localusers' endpoint should fail. These profiles can be assigned to an admin by selecting an admin under Authentication > User Management > Local / Remote Users, and adding an admin profile, which contains the correct permission, to their list of applicable admin profiles.
If you want to give an admin only the permissions required to use an endpoint, without giving them the many permissions that go along with a built-in permission set, you can make a custom permission set with only the permissions required. This can be done by navigating to System > Administration > Admin Profiles, creating a custom permission set with permissions of your choice, and then applying that admin profile to your admin user.
For a summary of the authentication methods, permission sets, and permissions that each endpoint requires, see the Authorization and Permissions Table below.
Resource Name | Base URL | Authentication Method | Applicable Built-in Permission Set | Required Permission code |
---|---|---|---|---|
auth | https://[server_name]/api/v1/auth/ | Webservice Basic Authentication | Webservice Authentication | Can use API to authenticate |
fabric | https://[server_name]/api/v1/fabric/ | OAuth Bearer Token Authentication | Widgets | Can read and access Fabric widgets |
fabric (no version) | https://[server_name]/api/fabric | None | Webservice Authentication | Can authenticate FAC as fabric device |
fgtgroupfilter | https://[server_name]/api/v1/fgtgroupfilter/ | Webservice Basic Authentication | SSO Settings | Can view / change FortiGate filter |
fortiguardmessages | https://[server_name]/api/v1/fortiguardmessages/ | Webservice Basic Authentication | System Administration | Can view / change FortiGuard settings |
fortitokenmobilelicenses | https://[server_name]/api/v1/fortitokenmobilelicenses/ | Webservice Basic Authentication | Users and Devices | Can view / change FortiToken |
fortitokenmobileprovisioning | https://[server_name]/api/v1/fortitokenmobileprovisioning/ | Webservice Basic Authentication | System Administration | Can view / change FortiGuard settings |
fortitokens | https://[server_name]/api/v1/fortitokens/ | Webservice Basic Authentication | Users and Devices | Can view / change FortiToken |
ftpservers | https://[server_name]/api/v1/ftpservers/ | Webservice Basic Authentication | Maintenance | Can view / change FTP server |
ldapusers | https://[server_name]/api/v1/ldapusers/ | Webservice Basic Authentication | Users and Devices | Can view / change remote LDAP user |
licensing | https://[server_name]/api/v1/licensing/ | Webservice Basic Authentication | System Administration | Can import a new FAC license |
localapiadmin | https://[server_name]/api/v1/localapiadmin/ | Webservice Basic Authentication | Administrators | Can view / change group |
localgroup-memberships | https://[server_name]/api/v1/localgroup-memberships/ | Webservice Basic Authentication | Users and Devices | Can view / change user group |
localusers | https://[server_name]/api/v1/localusers/ | Webservice Basic Authentication | Users and Devices | Can view / change local user |
logsettings | https://[server_name]/api/v1/logsettings/ | Webservice Basic Authentication | Logs | Can view / change log settings |
oauth | https://[server_name]/api/v1/oauth/ | None | None | None |
passwordpolicies | https://[server_name]/api/v1/passwordpolicies/ | Webservice Basic Authentication | Account Policy | Can view / change Password policy |
pushauth | https://[server_name]/api/v1/pushauth/ | Webservice Basic Authentication | None | None |
pushauthresp | https://[server_name]/api/v1/pushauthresp/ | None | None | None |
pushpoll | https://[server_name]/api/v1/pushpoll/ | None | None | None |
radiususers | https://[server_name]/api/v1/radiususers/ | Webservice Basic Authentication | Users and Devices | Can view / change remote RADIUS user |
realmauth | https://[server_name]/api/v1/realmauth/ | Webservice Basic Authentication | Webservice Authentication | Can use API to authenticate |
scepreqs | https://[server_name]/api/v1/scepreqs/ | Webservice Basic Authentication | Certificate Management | Can view / change certificate enrollment request |
recovery |
https://[server_name]/api/v1/recovery/ |
Webservice Basic Authentication |
Maintenance |
Can perform configuration backup |
scheduledbackupsettings | https://[server_name]/api/v1/scheduledbackupsettings/ | Webservice Basic Authentication | Maintenance | Can change scheduled configuration backup settings |
smtpservers | https://[server_name]/api/v1/smtpservers/ | Webservice Basic Authentication | Messaging Configuration | Can view / change SMTP server |
ssoauth | https://[server_name]/api/v1/ssoauth/ | Webservice Basic Authentication | Webservice Authentication | Can use API to authenticate |
ssogroup | https://[server_name]/api/v1/ssogroup/ | Webservice Basic Authentication | SSO Settings | Can view / change SSO group |
syslogservers | https://[server_name]/api/v1/syslogservers/ | Webservice Basic Authentication | SSO Settings | Can view / change syslog source |
system | https://[server_name]/api/v1/system/ | Webservice Basic Authentication | System Administration | Can change system access settings |
systeminfo | https://[server_name]/api/v1/systeminfo/ | Webservice Basic Authentication | Maintenance | Can view / change HA setting |
radiusclients |
https://[server_name]/api/v1/radiusclients/ |
Webservice Basic Authentication |
RADIUS Service |
Can view / change RADIUS Clients |
radiuspolicies |
https://[server_name]/api/v1/radiuspolicies/ |
Webservice Basic Authentication |
RADIUS Service |
Can view RADIUS Policies |
radiuspolicyclient |
https://[server_name]/api/v1/radiuspolicyclient/ |
Webservice Basic Authentication |
RADIUS Service |
Can view / change RADIUS Policies/ Clients |
tacplusclients |
https://[server_name]/api/v1/tacplusclients/ |
Webservice Basic Authentication |
TACACS+ Service |
Can view / change TACACS+ Clients |
tacpluspolicies |
https://[server_name]/api/v1/tacpluspolicies/ |
Webservice Basic Authentication |
TACACS+ Service |
Can view TACACS+ Policies |
tacpluspolicyclient |
https://[server_name]/api/v1/tacpluspolicyclient/ |
Webservice Basic Authentication |
TACACS+ Service |
Can view / change TACACS+ Policies/Clients |
transfertoken | https://[server_name]/api/v1/transfertoken/ | None | None | None |
usercerts | https://[server_name]/api/v1/usercerts/ | Webservice Basic Authentication | Certificate Management | Can view / change user certificate |
userfortitokenpolicy | https://[server_name]/api/v1/userfortitokenpolicy/ | Webservice Basic Authentication | Webservice Authentication | Can use API to authenticate |
userlockoutpolicy | https://[server_name]/api/v1/userlockoutpolicy/ | Webservice Basic Authentication | Account Policy | Can view / change user lockout policy settings |