Identity & Access Management (IAM) is a service to help you control access to FortiCloud portals and assets. You can use the portal to manage users, authentication credentials, and asset permissions.
The permission model has been updated with multi-dimensional permission model to provide fine grained control and easy of use. It comes with following two factors:
Permission Profile: Defines the enabled portals and the access permissions available to an assigned user. Instead of assigning portal permissions directly when creating an IAM user, external IdP role, and so on, the user is assigned to a permission profile. The permission profile must be created before being assigned to a user. Permission profiles can be assigned to multiple users and user groups.
Permission Scope: The permission scope defines the scope of access within the account. Management of the account is dependent on the available and selected scope.
The IAM user type provides more control and flexibility when assigning user permissions. Save time creating new users by applying the permissions of an existing user to a new user or adding the user to a group. Account administrators can temporarily disable vulnerable IAM users and enforce Two-Factor Authentication at the account level. Migrate sub users to the IAM portal to manage all of your users in one place.
Organize IAM users into user groups to assign portal and asset permissions to multiple users at the same time. You can create a group based on the user roles, asset permissions, or any other category of your choosing. Remove a user from a group without deleting their profile from the portal or temporarily disable a vulnerable group.
IAM API user
The IAM portal lets you quickly create and manage IAM API users for programmatic access to the API. IAM API user access types are specific to each portal.
External IdP roles
External IdP roles allow IdP users to log in to a cloud portal with their organization's ID provider. External IdP roles allow you to create one role for many users while leveraging all of the benefits of the IAM user type. One account can have more than one external IdP role. User accounts with multiple roles are required to select a role before they can access a portal.
IdP roles are a limited beta feature. New enrollment requests are not available at this time.
Multi-factor Authentication (2FA)
Two-Factor Authentication is fast and easy to configure. Users can authenticate using FortiToken or with an emailed security token. IAM administrators can enforce 2FA for all users at the account level. If a user disables 2FA for their account, they cannot access Fortinet applications until they enable it again.