Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Identity & Access Management (IAM)

    Home FortiCloud Services 24.4.0 Identity & Access Management (IAM)
    24.4.0
    24.4.0

    Creating users, user groups, and roles within Organizations

    Creating users, user groups, and roles within Organizations

    New IAM users, user groups, API users, and IdP roles can be created from the appropriate Identity & Access Management portal pages. When you configure the details, the Choose a Type and Permission Scope features can be used to define Local or Organization type, and the asset folder or OU path, respectively.

    To create an IAM user:
    1. Select Users from the left-hand navigation menu. The Users page opens.
    2. Click Add New > IAM User. The User Details pane opens.
    3. (Optional) Click Apply same permissions as existing User, and then select a user from the dropdown. You can configure the permissions later.
    4. Enter the user's details and click Next.

      UsernameType the username with no spaces.
      Full Name Type the user's first and last name.
      EmailType the user's email address.
      Phone Select the country code from the dropdown, and type the user's phone number.
      Description (Optional)Type a description of the user.

    5. (Optional) Add the user to an IAM user group. See User groups.

      1. Select Yes from Basic Info.

        A dropdown list of user groups is displayed.

      2. Select a user group from the dropdown.

      3. Click Next, and proceed to Step 10.

    6. Select the Organization user type from Select A Type dropdown list.

    7. Select the scope from the Permission Scope dropdown.

      Note

      Permission Scope options depend on the type you select in the previous step. For example, if the Organization type is selected, the OU scope will be selected here. The available scope will be applied in this case.

    8. In the Permissions Profile dropdown, select a profile. The Permission Details assigned to the selected profile are displayed.
    9. Click Next. The Confirmation page is displayed.
    10. Review the user information, and click Confirm. The user's details are displayed.

    Account credentials must be shared with the user. The user can generate a password reset link and share it with the newly created IAM user.

    To create a user group:
    1. Select User Groups from the left-hand navigation menu. The User Groups page opens.

    2. Click Add IAM User Group. The IAM User Group Information page is displayed.
    3. In the Group Name field, enter a name for the group.
    4. (Optional) In the Description field, describe the group.
    5. (Optional) Set the Status to Disabled. The status is Active by default.
    6. Click Next.
    7. Select the user type from Select A Type dropdown list.

    8. Select the scope from the Permission Scope dropdown.

      Note

      Permission Scope options depend on the type you select in the previous step. For example, if the Organization type is selected, the OU scope will be selected here. The available scope will be applied in this case.

    9. In the Permissions Profile dropdown, select a profile. The Permission Details assigned to the selected profile are displayed.
    10. Click Next. The Add IAM user(s) page is displayed.
    11. Assign users to the group.
      1. Click Add User.
      2. (Optional) Click Filter users by Group, to view users in a group. Selecting a user in a group will remove the user from that group.
      3. (Optional) Enter a username in the search bar, and enter the user name. As you type, partial results are returned.
      4. Select the users and click Add.
      5. Click Next.The Confirmation page is displayed.
    12. Review the group permissions, and click Confirm.

    13. (Optional) Click Add Another Group.
    To create an API user:
    1. Select Users from the left-hand navigation menu. The Users page opens.
    2. Click Add New > API User.
    3. (Optional) In the Description field, enter a description of the user.
    4. Select the Organization user type from Select A Type dropdown list.

      Note

      When creating an API user that can be added to an Organization, if the user is set to the Local type instead, they will be unable to specify the permission scope. They will automatically be assigned My Assets for the permission scope.

    5. Select the scope from the Permission Scope dropdown.

      Note

      Permission Scope options depend on the type you select in the previous step. For example, if the Organization type is selected, the OU scope will be selected here. The available scope will be applied in this case.

    6. Select a permission profile from the Permission Profile dropdown list.

    7. Click Add.
    8. Click Download Credentials. The Security Check dialog opens.
      Note

      Downloading API user credentials will reset the user's security credentials each time you perform this action. The API user only exists within the account scope.

    9. Enter your password to protect the credential file and click Proceed. The credentials are downloaded to your computer.
    10. Request an authorization token. SeeAccessing FortiAPIs
    To add an external user role:
    1. Select Users from the left-hand navigation menu. The Users page opens.
    2. Click Add New > External IDP Role. The External IdP Role page opens.

    3. In the Role Name field, type the name of the role.
    4. (Optional) In the Description field, enter a description of the role.
    5. Select the Organization user type from Select A Type dropdown list.

    6. From the Permission Scope dropdown, select an asset folder or Organizational Unit.
      Note

      Permission Scope options depend on the type you select in the previous step. For example, if the Organization type is selected, the OU scope will be selected here. The available scope will be applied in this case.

    7. In the Permissions Profile dropdown, select a profile. The Permission Details assigned to the selected profile are displayed.
    8. Click Add Role.
    Previous
    Next

    Creating users, user groups, and roles within Organizations

    Creating users, user groups, and roles within Organizations

    New IAM users, user groups, API users, and IdP roles can be created from the appropriate Identity & Access Management portal pages. When you configure the details, the Choose a Type and Permission Scope features can be used to define Local or Organization type, and the asset folder or OU path, respectively.

    To create an IAM user:
    1. Select Users from the left-hand navigation menu. The Users page opens.
    2. Click Add New > IAM User. The User Details pane opens.
    3. (Optional) Click Apply same permissions as existing User, and then select a user from the dropdown. You can configure the permissions later.
    4. Enter the user's details and click Next.

      UsernameType the username with no spaces.
      Full Name Type the user's first and last name.
      EmailType the user's email address.
      Phone Select the country code from the dropdown, and type the user's phone number.
      Description (Optional)Type a description of the user.

    5. (Optional) Add the user to an IAM user group. See User groups.

      1. Select Yes from Basic Info.

        A dropdown list of user groups is displayed.

      2. Select a user group from the dropdown.

      3. Click Next, and proceed to Step 10.

    6. Select the Organization user type from Select A Type dropdown list.

    7. Select the scope from the Permission Scope dropdown.

      Note

      Permission Scope options depend on the type you select in the previous step. For example, if the Organization type is selected, the OU scope will be selected here. The available scope will be applied in this case.

    8. In the Permissions Profile dropdown, select a profile. The Permission Details assigned to the selected profile are displayed.
    9. Click Next. The Confirmation page is displayed.
    10. Review the user information, and click Confirm. The user's details are displayed.

    Account credentials must be shared with the user. The user can generate a password reset link and share it with the newly created IAM user.

    To create a user group:
    1. Select User Groups from the left-hand navigation menu. The User Groups page opens.

    2. Click Add IAM User Group. The IAM User Group Information page is displayed.
    3. In the Group Name field, enter a name for the group.
    4. (Optional) In the Description field, describe the group.
    5. (Optional) Set the Status to Disabled. The status is Active by default.
    6. Click Next.
    7. Select the user type from Select A Type dropdown list.

    8. Select the scope from the Permission Scope dropdown.

      Note

      Permission Scope options depend on the type you select in the previous step. For example, if the Organization type is selected, the OU scope will be selected here. The available scope will be applied in this case.

    9. In the Permissions Profile dropdown, select a profile. The Permission Details assigned to the selected profile are displayed.
    10. Click Next. The Add IAM user(s) page is displayed.
    11. Assign users to the group.
      1. Click Add User.
      2. (Optional) Click Filter users by Group, to view users in a group. Selecting a user in a group will remove the user from that group.
      3. (Optional) Enter a username in the search bar, and enter the user name. As you type, partial results are returned.
      4. Select the users and click Add.
      5. Click Next.The Confirmation page is displayed.
    12. Review the group permissions, and click Confirm.

    13. (Optional) Click Add Another Group.
    To create an API user:
    1. Select Users from the left-hand navigation menu. The Users page opens.
    2. Click Add New > API User.
    3. (Optional) In the Description field, enter a description of the user.
    4. Select the Organization user type from Select A Type dropdown list.

      Note

      When creating an API user that can be added to an Organization, if the user is set to the Local type instead, they will be unable to specify the permission scope. They will automatically be assigned My Assets for the permission scope.

    5. Select the scope from the Permission Scope dropdown.

      Note

      Permission Scope options depend on the type you select in the previous step. For example, if the Organization type is selected, the OU scope will be selected here. The available scope will be applied in this case.

    6. Select a permission profile from the Permission Profile dropdown list.

    7. Click Add.
    8. Click Download Credentials. The Security Check dialog opens.
      Note

      Downloading API user credentials will reset the user's security credentials each time you perform this action. The API user only exists within the account scope.

    9. Enter your password to protect the credential file and click Proceed. The credentials are downloaded to your computer.
    10. Request an authorization token. SeeAccessing FortiAPIs
    To add an external user role:
    1. Select Users from the left-hand navigation menu. The Users page opens.
    2. Click Add New > External IDP Role. The External IdP Role page opens.

    3. In the Role Name field, type the name of the role.
    4. (Optional) In the Description field, enter a description of the role.
    5. Select the Organization user type from Select A Type dropdown list.

    6. From the Permission Scope dropdown, select an asset folder or Organizational Unit.
      Note

      Permission Scope options depend on the type you select in the previous step. For example, if the Organization type is selected, the OU scope will be selected here. The available scope will be applied in this case.

    7. In the Permissions Profile dropdown, select a profile. The Permission Details assigned to the selected profile are displayed.
    8. Click Add Role.
    Previous
    Next