Fortinet white logo
Fortinet white logo

Identity & Access Management (IAM)

24.4.0

User management models

User management models

IAM user accounts are similar to FortiCloud accounts. The legacy Sub User Model allows full and limited permissions for access and assets to individual users. The IAM User Model uses permission profiles for more control and improved security.

Basic function mode

The basic functionality for the Identity & Access Management portal includes all of the major features, including:

  • Permission profiles

  • IAM users

  • IAM user groups

  • Sub user migration

  • External IdP roles

  • Access to account management

Advanced mode

The advanced management mode of the Identity & Access Management portal includes the same capabilities as the basic function mode, with the addition of organization support. See Organization user management.

Sub User Model

Note

This model will be deprecated in the near future. It is strongly recommended that you use the IAM User Model to take full advantage of the new features.

The Sub User Model has two types of user: The master user (or Account Owner) and sub user. The master user is the person who created the FortiCloud account. Master users have full Admin permissions in all of the portals associated with the FortiCloud account including:

  • Creating users

  • Assigning full admin or limited access permissions and assets to sub users

Note

The Sub User Model only supports one master user for the account. The master user's email address must be unique.

Master user’s can change their email address as long as the new email address remains unique. A master user can change their email address up to five times in a 24-hour period.

A master user can assign Full Access or Limited Access permissions to a sub user as well as the devices the sub user can access. Assigning Full Access permissions to sub users grants them the same permissions as the master user with limitations. Limited Access allows the master user to select the sub user’s permissions and assets. See User permissions in the Asset Management Administration Guide for more information on the different access levels.

Only the master user can access the Identity & Access Management portal and make changes, such as migrating sub users to IAM users. The sub user cannot access the portal regardless if they have Full Access or Limited Access.

IAM User Model

The IAM User Model uses portal-based permission profiles to manage users’ access and asset permissions. Instead of assigning Full Access permissions or Limited Access for the user account, an IAM administrator selects an access type as defined by the portal when creating a permission profile. Permission scope asset permissions are based on the Organizational Unit or asset folders in the Asset Management (AM) portal. This allows for a more granular combination of access and asset permissions.

A master user (Account Owner) can access the IAM portal. IAM Users have access to the portal based on the permissions set by the master user for the IAM portal. Sub users cannot access the IAM Portal.

IAM user types

User type Description
IAM user IAM users can access Fortinet cloud portals with a FortiCloud account. Each IAM account requires an Account ID/Alias, User Name, and password to log in to a portal. Administrators can assign permission profiles to an IAM user or to an IAM user group.
API users

API users can access FortiCloud services through the API. API users can only use OAuth 2.0 for authentication to access web service APIs provided by each FortiCloud service portal.

API user IDs and passwords are generated by the IAM service portal. One FortiCloud account can have multiple API users. The IAM service administrator can define which cloud portals the user can access, as well as the user's read/write permissions.

External IdP roles

External IdP roles allow external users to log in to a cloud portal using their organization’s ID provider. External IdP roles are authenticated with a custom login page. After the user is authenticated, they are redirected to a jump page where they can select the cloud portal(s) assigned to their account.

One account can have more than one external IdP role. User accounts with multiple roles are required to select a role before they can access a portal. Users with no roles assigned to their account are blocked.

Note

IdP roles are a limited beta feature.

User management models

User management models

IAM user accounts are similar to FortiCloud accounts. The legacy Sub User Model allows full and limited permissions for access and assets to individual users. The IAM User Model uses permission profiles for more control and improved security.

Basic function mode

The basic functionality for the Identity & Access Management portal includes all of the major features, including:

  • Permission profiles

  • IAM users

  • IAM user groups

  • Sub user migration

  • External IdP roles

  • Access to account management

Advanced mode

The advanced management mode of the Identity & Access Management portal includes the same capabilities as the basic function mode, with the addition of organization support. See Organization user management.

Sub User Model

Note

This model will be deprecated in the near future. It is strongly recommended that you use the IAM User Model to take full advantage of the new features.

The Sub User Model has two types of user: The master user (or Account Owner) and sub user. The master user is the person who created the FortiCloud account. Master users have full Admin permissions in all of the portals associated with the FortiCloud account including:

  • Creating users

  • Assigning full admin or limited access permissions and assets to sub users

Note

The Sub User Model only supports one master user for the account. The master user's email address must be unique.

Master user’s can change their email address as long as the new email address remains unique. A master user can change their email address up to five times in a 24-hour period.

A master user can assign Full Access or Limited Access permissions to a sub user as well as the devices the sub user can access. Assigning Full Access permissions to sub users grants them the same permissions as the master user with limitations. Limited Access allows the master user to select the sub user’s permissions and assets. See User permissions in the Asset Management Administration Guide for more information on the different access levels.

Only the master user can access the Identity & Access Management portal and make changes, such as migrating sub users to IAM users. The sub user cannot access the portal regardless if they have Full Access or Limited Access.

IAM User Model

The IAM User Model uses portal-based permission profiles to manage users’ access and asset permissions. Instead of assigning Full Access permissions or Limited Access for the user account, an IAM administrator selects an access type as defined by the portal when creating a permission profile. Permission scope asset permissions are based on the Organizational Unit or asset folders in the Asset Management (AM) portal. This allows for a more granular combination of access and asset permissions.

A master user (Account Owner) can access the IAM portal. IAM Users have access to the portal based on the permissions set by the master user for the IAM portal. Sub users cannot access the IAM Portal.

IAM user types

User type Description
IAM user IAM users can access Fortinet cloud portals with a FortiCloud account. Each IAM account requires an Account ID/Alias, User Name, and password to log in to a portal. Administrators can assign permission profiles to an IAM user or to an IAM user group.
API users

API users can access FortiCloud services through the API. API users can only use OAuth 2.0 for authentication to access web service APIs provided by each FortiCloud service portal.

API user IDs and passwords are generated by the IAM service portal. One FortiCloud account can have multiple API users. The IAM service administrator can define which cloud portals the user can access, as well as the user's read/write permissions.

External IdP roles

External IdP roles allow external users to log in to a cloud portal using their organization’s ID provider. External IdP roles are authenticated with a custom login page. After the user is authenticated, they are redirected to a jump page where they can select the cloud portal(s) assigned to their account.

One account can have more than one external IdP role. User accounts with multiple roles are required to select a role before they can access a portal. Users with no roles assigned to their account are blocked.

Note

IdP roles are a limited beta feature.