Fortinet Document Library

Version:


Table of Contents

22.2.0
Download PDF
Copy Link

User management models

IAM user accounts are similar to FortiCloud accounts. The legacy Sub User Model allows full and limited permissions for access and assets to individual users. The new IAM User Model uses granular portal-based permissions and asset permissions for more control and improved security

Sub User Model

The Sub User model has two types of user: The Master User (or account Owner) and Sub User. The Master User is the person who created the FortiCloud account. Master Users have full Admin permissions in all of the portals associated with the FortiCloud account including:

  • Creating users

  • Assigning full admin or limited access permissions and assets to sub users

Note

The Sub User model only supports one Master User for the account. The Master User's email address must be unique.

Master User’s can change their email address as long as the new email address remains unique. A Master User can change their email address up to five times in a 24-hour period.

A Master User can assign Full Access or Limited Access permissions to a Sub User as well as the devices the Sub User can access. Assigning Full Access permissions to Sub Users grants them the same permissions as the Master User with limitations. Limited Access allows the Master User to select the Sub User’s permissions and assets.

IAM User Model

The IAM User model uses portal-based permissions to manage users’ access and asset permissions. Instead of assigning Full Access permissions or Limited Access for the user account, an IAM administrator selects an access type as defined by the portal. Asset permissions are based on the Asset Folders in the Asset Management (AM) portal. This allows for a more granular combination of access and asset permissions.

A Master User (Account Owner) can access the IAM portal. IAM Users have access to the portal based on the permissions set by the Master User for the IAM portal. Sub Users cannot access the IAM Portal.

IAM User types

User type Description
IAM User IAM users can access Fortinet cloud portals without a FortiCloud account. Each IAM account requires an Account ID/Alias, User Name, and password to log in to a portal. Administrators can assign portal and asset permissions to an IAM user or to an IAM user group.
API users

API users can access FortiCloud services through the API. API users can only use OAuth 2.0 for authentication to access web service APIs provided by each FortiCloud service portal.

API user IDs and passwords are generated by the IAM service portal. One FortiCloud account can have multiple API users. The IAM service administrator can define which cloud portals the user can access, as well as the user's read/write permissions.

External IdP Roles

External IdP roles allow external users to log in to a cloud portal using their organization’s ID provider. External IdP roles are authenticated with a custom login page. After the user is authenticated, they are redirected to a jump page where they can select the cloud portal(s) assigned to their account.

One account can have more than one External IdP role. User accounts with multiple roles are required to select a role before they can access a portal. Users with no roles assigned to their account are blocked.

Note

IdP roles is a limited beta feature. New enrollment requests are not available at this time.

User management models

IAM user accounts are similar to FortiCloud accounts. The legacy Sub User Model allows full and limited permissions for access and assets to individual users. The new IAM User Model uses granular portal-based permissions and asset permissions for more control and improved security

Sub User Model

The Sub User model has two types of user: The Master User (or account Owner) and Sub User. The Master User is the person who created the FortiCloud account. Master Users have full Admin permissions in all of the portals associated with the FortiCloud account including:

  • Creating users

  • Assigning full admin or limited access permissions and assets to sub users

Note

The Sub User model only supports one Master User for the account. The Master User's email address must be unique.

Master User’s can change their email address as long as the new email address remains unique. A Master User can change their email address up to five times in a 24-hour period.

A Master User can assign Full Access or Limited Access permissions to a Sub User as well as the devices the Sub User can access. Assigning Full Access permissions to Sub Users grants them the same permissions as the Master User with limitations. Limited Access allows the Master User to select the Sub User’s permissions and assets.

IAM User Model

The IAM User model uses portal-based permissions to manage users’ access and asset permissions. Instead of assigning Full Access permissions or Limited Access for the user account, an IAM administrator selects an access type as defined by the portal. Asset permissions are based on the Asset Folders in the Asset Management (AM) portal. This allows for a more granular combination of access and asset permissions.

A Master User (Account Owner) can access the IAM portal. IAM Users have access to the portal based on the permissions set by the Master User for the IAM portal. Sub Users cannot access the IAM Portal.

IAM User types

User type Description
IAM User IAM users can access Fortinet cloud portals without a FortiCloud account. Each IAM account requires an Account ID/Alias, User Name, and password to log in to a portal. Administrators can assign portal and asset permissions to an IAM user or to an IAM user group.
API users

API users can access FortiCloud services through the API. API users can only use OAuth 2.0 for authentication to access web service APIs provided by each FortiCloud service portal.

API user IDs and passwords are generated by the IAM service portal. One FortiCloud account can have multiple API users. The IAM service administrator can define which cloud portals the user can access, as well as the user's read/write permissions.

External IdP Roles

External IdP roles allow external users to log in to a cloud portal using their organization’s ID provider. External IdP roles are authenticated with a custom login page. After the user is authenticated, they are redirected to a jump page where they can select the cloud portal(s) assigned to their account.

One account can have more than one External IdP role. User accounts with multiple roles are required to select a role before they can access a portal. Users with no roles assigned to their account are blocked.

Note

IdP roles is a limited beta feature. New enrollment requests are not available at this time.