User permissions
The Master user is the account administrator that creates the account and has access to all the items in the navigation menu including Register Products and My Assets. The account administrator can create users, assign permissions based on the user's role, assign user permissions, and assign devices to a user.
Partners can be connected to one account or multiple accounts as a master or sub user. Partners connected to multiple accounts can switch accounts from the Account dropdown. See Creating connected accounts (Partners) |
The Master user can create various types of users:
There are three types of user permissions for IAM, External IdP, and API users:
Permissions | Admin | Read/Write | Read Only |
---|---|---|---|
View Product List, My Assets, and Asset views (based on Asset permissions) | X | X | X |
Register new products, contracts or licenses | X | X | |
Manage asset folders, move, and decommission units | X | X | |
View account service entitlements and contracts | X | X | |
View and renew eligible units for online renewals | X |
Permissions can be assigned to a user using permission profiles. Permissions can be granted on a role-based or resource-based basis. See Permission profiles in the Identity & Access Administration Guide. The Asset Management portal uses resource-based permissions. See Portals with resource-based permissions in the Identity & Access Administration Guide. |
IAM users
IAM users are created in the IAM portal and their permissions are assigned by the account administrator. An IAM user will have their own asset and portal permissions until they are assigned to a group. Permissions assigned to a user or user group depend on the permissions profile assigned. See IAM users in the Identity & Access Administration Guide.
Account administrators can view an IAM user's permissions in the Users and User Groups pages of the IAM portal. For information, see Managing IAM users and Managing IAM user groups in the Identity & Access Administration Guide.
External IdP user roles
External IdP roles allow external users to log in to a cloud portal using their company’s user credentials with a third-party ID provider. External IdP users are authenticated by their company's ID provider. After the user is authenticated, they can access the cloud application based on their role. External IdP roles have the same permissions as IAM users. See External IdP roles in the Identity & Access Administration Guide.
API users
API users can access FortiCloud services through the API. API users have the same permissions as IAM users. See API users in the Identity & Access Administration Guide.
Legacy sub-user
The sub user is a legacy model. It is recommended that sub users be migrated into the IAM user model. See Migrating sub users.
Sub users can have full or limited access:
User type |
Description |
---|---|
Sub user (Full Access) |
Has access to all the items in the navigation menu including Register Products and My Assets. Sub users with read-only permissions cannot change a folder's structure or move assets. Depending on the permissions set by the master user, a sub user with full access can create new users and send renewal notices. |
Sub user (Limited Access) | Has access to Product List and Decommissioned Units in the navigation menu. Sub users with limited permissions only have access to the products assigned to them by the master user. |
Viewing sub user permissions
To view a sub user's permissions:
- Go to FortiCloud.
- Log in to your FortiCloud account as a master user.
- In the profile dropdown menu, select My Account.
- Click Manage User. The Current Users list is displayed.
- Click a user in the list.
- (Optional) Click Edit to update the user's permissions.