Fortinet black logo

Identity & Access Management (IAM)

Home FortiCloud Services 24.1.0 Identity & Access Management (IAM)

FAQ

24.1.0
24.1.0
Copy Link
Copy Doc ID cb035e9b-aa60-11ee-8673-fa163e15d75b:708607
Download PDF

FAQ

Can anyone access the IAM portal or does it require special permissions?

Any Account Owner (the person who created the account, also known as the master user) can access the IAM portal. IAM users have access to the portal based on the permission profile assigned. See Permission profiles.

Do I need to be a master user to create IAM users?

Master users can create IAM users. IAM users with Admin/Read-Write permissions to the IAM portal can also create IAM users. See Adding IAM users.

Which FortiCloud portals support IAM users?

Most FortiCloud portals include IAM user support. Refer to the product portal administration guides for more information about IAM user support and permissions.

Why are you changing user management?

FortiCloud supports many cloud services all accessible with a unified FortiCloud account. IAM introduces granular access control for various cloud services and improved common user management for all services. For example, an IAM user can be created by an admin with access to specific services with a designated role such as admin or read only.

What benefit does IAM offer me?

IAM provides in-depth access and permission control for services. Permission profiles provide additional security and strong access control for account admins.

Can I still create traditional sub accounts?

Yes, however we strongly recommend migrating your users to the IAM portal to take advantage of the security features. The IAM portal includes a sub user migration wizard for easy migration.

Will you stop supporting sub accounts, and if so, when?

While both models co-exist currently, the legacy user management model is expected to be deprecated in the near future. The timeline for deprecation will be communicated later.

What limitations do legacy sub accounts have?

Legacy sub accounts have limited permission controls. The IAM permission model enhances the access control with fine grained permissions for various cloud products and services.

What is the alias for IAM users?

Each account is identified with a unique Account ID. Instead of remembering the Account ID, the account admin can set an alias (a unique string) to easily identify the account. An account alias can be used by IAM users when they log in to a portal.

Is an alias required?

Adding an account alias is optional. IAM users can use an Account ID or alias if set.

Can I modify or change the alias?

Yes, admins can update the alias from the My Account menu in the top menu bar.

Note

If you are using the legacy Sub User Model, only the master user can change the alias.
How do I set a password for an IAM user?

When creating an IAM user, the system generates a temporary password the IAM user can log in with. After the IAM user is logged in, they can set a new password of their choice. See Adding IAM users.

Do I have to provide new IAM users with the generated password file?

You should provide the generated reset password link to the IAM user.

Can admins update or edit an IAM user's permissions to portals or assets?

Yes. An admin (master user or IAM user with Admin/Read-Write permissions) can change the permissions from IAM Portal after creating the IAMuser. See Updating user permissions.

Can I can change an IAM user's individual permissions in a user group?

Once an IAM user is added to a user group, only the group permission profile applies. See Managing IAM user groups.

How do IAM users log in to the FortiCloud account?

On the Login screen, select IAM Login and enter the Account ID (or Alias), IAM username and password. See Logging in as an IAM user.

Can I access the IAM portal with my Partner account?

No. The IAM portal is not available in the Services menu when you log in with a Partner account.

Why am I being forced to use Two-Factor Authorization to log into a portal?

When Two-Factor Authentication (2FA) is enabled at the account level, all users including legacy sub users, are forced to set up 2FA to log into the portal.

Legacy sub users that use the same email address for multiple accounts may notice they can log into one account with an email address but are forced to log in with 2FA for another account. This is because one account has 2FA enabled while the other does not.

Users can disable 2FA for their account even when it is enabled at the account level. However, the user will not be able to log into the portal until 2FA is enabled again.

Previous
Next

FAQ

Can anyone access the IAM portal or does it require special permissions?

Any Account Owner (the person who created the account, also known as the master user) can access the IAM portal. IAM users have access to the portal based on the permission profile assigned. See Permission profiles.

Do I need to be a master user to create IAM users?

Master users can create IAM users. IAM users with Admin/Read-Write permissions to the IAM portal can also create IAM users. See Adding IAM users.

Which FortiCloud portals support IAM users?

Most FortiCloud portals include IAM user support. Refer to the product portal administration guides for more information about IAM user support and permissions.

Why are you changing user management?

FortiCloud supports many cloud services all accessible with a unified FortiCloud account. IAM introduces granular access control for various cloud services and improved common user management for all services. For example, an IAM user can be created by an admin with access to specific services with a designated role such as admin or read only.

What benefit does IAM offer me?

IAM provides in-depth access and permission control for services. Permission profiles provide additional security and strong access control for account admins.

Can I still create traditional sub accounts?

Yes, however we strongly recommend migrating your users to the IAM portal to take advantage of the security features. The IAM portal includes a sub user migration wizard for easy migration.

Will you stop supporting sub accounts, and if so, when?

While both models co-exist currently, the legacy user management model is expected to be deprecated in the near future. The timeline for deprecation will be communicated later.

What limitations do legacy sub accounts have?

Legacy sub accounts have limited permission controls. The IAM permission model enhances the access control with fine grained permissions for various cloud products and services.

What is the alias for IAM users?

Each account is identified with a unique Account ID. Instead of remembering the Account ID, the account admin can set an alias (a unique string) to easily identify the account. An account alias can be used by IAM users when they log in to a portal.

Is an alias required?

Adding an account alias is optional. IAM users can use an Account ID or alias if set.

Can I modify or change the alias?

Yes, admins can update the alias from the My Account menu in the top menu bar.

Note

If you are using the legacy Sub User Model, only the master user can change the alias.
How do I set a password for an IAM user?

When creating an IAM user, the system generates a temporary password the IAM user can log in with. After the IAM user is logged in, they can set a new password of their choice. See Adding IAM users.

Do I have to provide new IAM users with the generated password file?

You should provide the generated reset password link to the IAM user.

Can admins update or edit an IAM user's permissions to portals or assets?

Yes. An admin (master user or IAM user with Admin/Read-Write permissions) can change the permissions from IAM Portal after creating the IAMuser. See Updating user permissions.

Can I can change an IAM user's individual permissions in a user group?

Once an IAM user is added to a user group, only the group permission profile applies. See Managing IAM user groups.

How do IAM users log in to the FortiCloud account?

On the Login screen, select IAM Login and enter the Account ID (or Alias), IAM username and password. See Logging in as an IAM user.

Can I access the IAM portal with my Partner account?

No. The IAM portal is not available in the Services menu when you log in with a Partner account.

Why am I being forced to use Two-Factor Authorization to log into a portal?

When Two-Factor Authentication (2FA) is enabled at the account level, all users including legacy sub users, are forced to set up 2FA to log into the portal.

Legacy sub users that use the same email address for multiple accounts may notice they can log into one account with an email address but are forced to log in with 2FA for another account. This is because one account has 2FA enabled while the other does not.

Users can disable 2FA for their account even when it is enabled at the account level. However, the user will not be able to log into the portal until 2FA is enabled again.

Previous
Next