Fortinet black logo

Dynamically group endpoints based on user identity

Copy Link
Copy Doc ID 98b4e085-ff54-11e9-8977-00505692583a:443592
Download PDF

Dynamically group endpoints based on user identity

EMS can now dynamically group endpoints based on their user identity. An end user can provide their user identity in FortiClient for the following social network accounts:

  • LinkedIn
  • Google
  • Salesforce
  • User Input

When the end user selects User Input, they can specify personal information, including their avatar, name, phone number, and email address. If they select another option, FortiClient reads their avatar, name, phone number, and email address from the corresponding account. FortiClient displays this information and sends it via Telemetry to EMS. EMS uses this information to apply applicable host verification tags on endpoints.

The end user can disconnect FortiClient from the specified account by clicking the Sign out button.

In this example, the EMS administrator has configured five compliance verification rules, which apply the following host verification tags to endpoints that fulfill the listed criteria:

Tag name

Endpoint criteria

Specific-Google-Only-Tag

FortiClient is linked to one of the following accounts:

  • notifytest01@gmail.com (Google account)
  • forticlientvm1@gmail.com (Google account)

Specified-Google-LinkedIn-Tag

FortiClient is linked to one of the following accounts:

  • notifytest01@gmail.com (Google account)
  • forticlientvm1@gmail.com (LinkedIn account)

All-Google-Tag

FortiClient is linked to a Google account.

All-LinkedIn-Tag

FortiClient is linked to a LinkedIn account.

Users-Specified-tag

User selected User Input and provided their personal information manually.

The following shows the EMS configuration for the Specific-Google-Only rule, which applies the Specific-Google-Only-Tag to endpoints that satisfy the configured criteria:

Note

The EMS administrator must enable Show Host Tags on FortiClient GUI in the applied endpoint profile for host tags to display in FortiClient.

This user is logged in to their Google account, notifytest01@gmail.com. EMS applies the Specific-Google-Only-Tag tag to the endpoint, since the linked Google account matches one of Specific-Google-Only-Tag's specified Google accounts. EMS also applies the All-Google-Tag to the endpoint, since FortiClient is linked to a Google account:

This user is logged in to their LinkedIn account, forticlientvm1@gmail.com. EMS applies the Specific-Google-LinkedIn-Tag tag to the endpoint, since the linked LinkedIn account matches Specific-Google-LinkedIn-Tag's specified LinkedIn account. EMS also applies the All-LinkedIn-Tag to the endpoint, since FortiClient is linked to a LinkedIn account:

This user provided selected User Input and provided their personal information manually. EMS applies the User-Specified-tag tag to the endpoint:

The Host Tag Monitor page in EMS displays the endpoints that belong to each dynamic group:

The Fabric Device Monitor page in EMS displays the number of endpoints that are applicable for each tag:

Dynamically group endpoints based on user identity

EMS can now dynamically group endpoints based on their user identity. An end user can provide their user identity in FortiClient for the following social network accounts:

  • LinkedIn
  • Google
  • Salesforce
  • User Input

When the end user selects User Input, they can specify personal information, including their avatar, name, phone number, and email address. If they select another option, FortiClient reads their avatar, name, phone number, and email address from the corresponding account. FortiClient displays this information and sends it via Telemetry to EMS. EMS uses this information to apply applicable host verification tags on endpoints.

The end user can disconnect FortiClient from the specified account by clicking the Sign out button.

In this example, the EMS administrator has configured five compliance verification rules, which apply the following host verification tags to endpoints that fulfill the listed criteria:

Tag name

Endpoint criteria

Specific-Google-Only-Tag

FortiClient is linked to one of the following accounts:

  • notifytest01@gmail.com (Google account)
  • forticlientvm1@gmail.com (Google account)

Specified-Google-LinkedIn-Tag

FortiClient is linked to one of the following accounts:

  • notifytest01@gmail.com (Google account)
  • forticlientvm1@gmail.com (LinkedIn account)

All-Google-Tag

FortiClient is linked to a Google account.

All-LinkedIn-Tag

FortiClient is linked to a LinkedIn account.

Users-Specified-tag

User selected User Input and provided their personal information manually.

The following shows the EMS configuration for the Specific-Google-Only rule, which applies the Specific-Google-Only-Tag to endpoints that satisfy the configured criteria:

Note

The EMS administrator must enable Show Host Tags on FortiClient GUI in the applied endpoint profile for host tags to display in FortiClient.

This user is logged in to their Google account, notifytest01@gmail.com. EMS applies the Specific-Google-Only-Tag tag to the endpoint, since the linked Google account matches one of Specific-Google-Only-Tag's specified Google accounts. EMS also applies the All-Google-Tag to the endpoint, since FortiClient is linked to a Google account:

This user is logged in to their LinkedIn account, forticlientvm1@gmail.com. EMS applies the Specific-Google-LinkedIn-Tag tag to the endpoint, since the linked LinkedIn account matches Specific-Google-LinkedIn-Tag's specified LinkedIn account. EMS also applies the All-LinkedIn-Tag to the endpoint, since FortiClient is linked to a LinkedIn account:

This user provided selected User Input and provided their personal information manually. EMS applies the User-Specified-tag tag to the endpoint:

The Host Tag Monitor page in EMS displays the endpoints that belong to each dynamic group:

The Fabric Device Monitor page in EMS displays the number of endpoints that are applicable for each tag: