Any Account Owner (the person who created the account, also known as the Master user) can access the IAM portal. IAM Users have access to the portal based on the permissions set by the Master user (e.g. admin, read only, read write).
Master users can create IAM Users. IAM Users with Admin/Read-Write permissions to the IAM portal can also create IAM Users. See, Adding IAM users.
Most FortiCloud portals include IAM User support. Refer to the product portal admin guides for more information about IAM User support and permissions.
FortiCloud supports many cloud services all accessible with a unified FortiCloud account. IAM introduces granular access control for various cloud services and improved common user management for all services. For example, an IAM User can be created by an admin with access to specific services with a designated role such as admin or read only.
IAM provides in-depth access and permission control for services. Granular permissions provide additional security and strong access control for account admins.
Yes, however we strongly recommend migrating your users to the IAM portal to take advantage of the security features. The IAM portal includes a sub user migration wizard for easy migration.
While both models co-exist currently, the legacy user management model is expected to be deprecated in the near future. The timeline for deprecation will be communicated later.
Legacy sub accounts have limited permission controls. The IAM permission model enhances the access control with fine grained permissions for various cloud products and services.
Each account is identified with a unique Account ID. Instead of remembering the Account ID, the account admin can set an alias (a unique string) to easily identify the account. An account alias can be used by IAM Users when they log in to a portal.
Adding an account alias is optional. IAM Users can use an Account ID or Account Alias if set.
Yes, admins can update the alias from the My Account menu in the top menu bar.
When creating an IAM User, the system generates a temporary password the IAM User can log in with. After the IAM User is logged in, they can set a new password of their choice. See, Adding IAM users.
Admins should provide the initial system generated password to the IAM User. After that, the IAM User can reset the password at any time using the Security Credentials menu from the top menu bar.
Admins (Master user or IAM User with Admin/Read-Write permissions) can always generate new temporary passwords from the IAM User profile in IAM portal. See, Generating passwords.
Yes. An admin (Master user or IAM User with Admin/Read-Write permissions) can change the permissions from IAM Portal after creating the IAM User. See, Updating user permissions.
Once an IAM User is added to a IAM User Group, only Group permissions apply. See, Managing IAM user groups.
On the Login screen, select Login as IAM User and enter the Account ID (or Alias), IAM Username and password.
No. The IAM portal is not available in the Services menu when you log in with a Partner account.
When Two-Factor Authentication (2FA) is enabled at the account level, all users including legacy sub-users, are forced to set up 2FA to log into the portal.
Legacy sub-users that use the same email address for multiple accounts may notice they can log into one account with an email address but are forced to log in with 2FA for another account. This is because one account has 2FA enabled while the other does not.
Users can disable 2FA for their account even when it is enabled at the account level. However, the user will not be able to log into the portal until 2FA is enabled again.