Fortinet black logo

Identity & Access Management (IAM)

Permission scope with Organizations

24.1.0
Copy Link
Copy Doc ID cb035e9b-aa60-11ee-8673-fa163e15d75b:405081
Download PDF

Permission scope with Organizations

Permission scope is assigned when creating a permission profile or an IAM user, user group, or IdP role. It defines the scope of access a user has in terms of asset folders or OU hierarchy.

Local and Organization scope

Permission scope is further defined by Local versus Organization access type. Local access is the default for the Identity & Access Management portal. IAM users, user groups, and so on can be created as usual when in the Local type and will be limited to the asset folders in the selected account. See Permission scope.

However, if organizations are enabled and created in the Organization portal, the Organization type can be used for more advanced settings. This more advanced version allows IAM users, user groups, and so on to be assigned to OUs and OU member accounts that define your company's organization structure.

Permission scope can be defined as Local or Organization using the Choose A Type feature. The Local type is automatically assigned to all permission profiles when OU access is not enabled. However, if a login user does have OU access enabled, the scope can be set to either the Local or Organization type. Once selected, permission scope can then be based on hierarchical OU (Organization type) or asset folder (Local type) paths in the Organization portal and Asset Management portal, respectively.

Note

If you are logged in with OU permissions scope, you can see both Local and Organization permission profiles in the Permission Profiles page. However, if you are logged in to your local account, you will only be able to see Local permission profiles.

Available and selected scope

A user's permission scope is independent to the account they belong to. Once specified, in OU context, the selected scope is not necessarily the same as the available scope:

  • Available scope: The available scope refers to the total accessing scope the login user is assigned with. It covers all organizations, OUs, and member accounts the user can access. The available scope defines what a user is capable of doing and is assigned with the permission scope. This scope can include up to and including the organization account if the user has the proper permissions. Available scope is applied when the current login user tries to configure IAM user or external IdP roles permission scopes.

  • Selected scope: The selected scope refers to the current login user's selected OU context within the current session. It can be changed at anytime within this session. It includes the current account a user is accessing and any accounts below this level in the hierarchy. The selected scope is used to focus your view within the available scope. The selected scope defines what is visible and available to the user. For example, if the user is currently accessing an OU account, the Asset Management portal Dashboard will display an aggregated view of the member accounts under that OU. See Organizational Unit account views in the Asset Management Administration Guide.

The selected scope can be changed to another account within the available scope by selecting a new account from the context switch dropdown. See OU context switch.

Example of selected scope

If the current selected scope is lower in the organization hierarchy than the available scope, this does not limit the overall abilities of the user. The user will be able to assign users and permission profiles to any level of the organization within their available scope; including higher in the hierarchy than the selected scope.

The following organization structure will be used for the example.

If a user has permissions up to and including the ORG account but they select Subfolder2 when logging in, the scope of their account is:

  • Available scope: The ORG account and all OUs and member accounts within it.

  • Selected scope: The Subfolder2 account and all accounts below it in the hierarchy.

While they are accessing Subfolder2, the information they see in the portals will relate to that OU and the member accounts within it. However, since they have an available scope of ORG, they are not limited to the selected scope. For example, when creating a new IAM user, they can delegate that IAM user to any account within ORG, such as Subfolder1 which is higher in the organization hierarchy than Subfolder2.

Permission scope with Organizations

Permission scope is assigned when creating a permission profile or an IAM user, user group, or IdP role. It defines the scope of access a user has in terms of asset folders or OU hierarchy.

Local and Organization scope

Permission scope is further defined by Local versus Organization access type. Local access is the default for the Identity & Access Management portal. IAM users, user groups, and so on can be created as usual when in the Local type and will be limited to the asset folders in the selected account. See Permission scope.

However, if organizations are enabled and created in the Organization portal, the Organization type can be used for more advanced settings. This more advanced version allows IAM users, user groups, and so on to be assigned to OUs and OU member accounts that define your company's organization structure.

Permission scope can be defined as Local or Organization using the Choose A Type feature. The Local type is automatically assigned to all permission profiles when OU access is not enabled. However, if a login user does have OU access enabled, the scope can be set to either the Local or Organization type. Once selected, permission scope can then be based on hierarchical OU (Organization type) or asset folder (Local type) paths in the Organization portal and Asset Management portal, respectively.

Note

If you are logged in with OU permissions scope, you can see both Local and Organization permission profiles in the Permission Profiles page. However, if you are logged in to your local account, you will only be able to see Local permission profiles.

Available and selected scope

A user's permission scope is independent to the account they belong to. Once specified, in OU context, the selected scope is not necessarily the same as the available scope:

  • Available scope: The available scope refers to the total accessing scope the login user is assigned with. It covers all organizations, OUs, and member accounts the user can access. The available scope defines what a user is capable of doing and is assigned with the permission scope. This scope can include up to and including the organization account if the user has the proper permissions. Available scope is applied when the current login user tries to configure IAM user or external IdP roles permission scopes.

  • Selected scope: The selected scope refers to the current login user's selected OU context within the current session. It can be changed at anytime within this session. It includes the current account a user is accessing and any accounts below this level in the hierarchy. The selected scope is used to focus your view within the available scope. The selected scope defines what is visible and available to the user. For example, if the user is currently accessing an OU account, the Asset Management portal Dashboard will display an aggregated view of the member accounts under that OU. See Organizational Unit account views in the Asset Management Administration Guide.

The selected scope can be changed to another account within the available scope by selecting a new account from the context switch dropdown. See OU context switch.

Example of selected scope

If the current selected scope is lower in the organization hierarchy than the available scope, this does not limit the overall abilities of the user. The user will be able to assign users and permission profiles to any level of the organization within their available scope; including higher in the hierarchy than the selected scope.

The following organization structure will be used for the example.

If a user has permissions up to and including the ORG account but they select Subfolder2 when logging in, the scope of their account is:

  • Available scope: The ORG account and all OUs and member accounts within it.

  • Selected scope: The Subfolder2 account and all accounts below it in the hierarchy.

While they are accessing Subfolder2, the information they see in the portals will relate to that OU and the member accounts within it. However, since they have an available scope of ORG, they are not limited to the selected scope. For example, when creating a new IAM user, they can delegate that IAM user to any account within ORG, such as Subfolder1 which is higher in the organization hierarchy than Subfolder2.