Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    Operator access types

    Operator access types

    Access types determine how FortiCloud operators can interact with the FortiDLP Console. Each access type represents a predefined set of permissions.

    Operators are known as users in the FortiCloud Portal, where FortiCloud accounts are created and managed. As described in FortiCloud operators, each FortiCloud user is assigned a permission profile which defines their access type.

    The following table describes the supported access types, which have been preallocated permissions based on the principle of least privilege.

    FortiCloud operator access types
    Name Description
    Admin Grants an operator read/write access to FortiDLP's administrative functionality.
    Analyst (Pseudonymized) Grants an operator pseudonymized access to FortiDLP's search functionality. For more on pseudonymization, see Pseudonymization perspective below.
    Analyst (Standard) Grants an operator access to FortiDLP's search functionality.
    Auditor Grants an operator read-only access to FortiDLP's audit log, and administrative and policy functionality, including exporting.
    Global Administrator

    Grants an operator read/write access to all of FortiDLP's functionality.

    Note

    For security purposes, you should limit use of this access type.
    Investigation Approver Grants an operator access to assign, approve, deny, and revoke scoped investigations.
    Investigator Grants an operator access to request, activate, and withdraw scoped investigations, view user/node properties and labels, and view and export policies.
    Policy Manager Grants an operator read/write access to FortiDLP's policies functionality, including creating, editing, duplicating, deleting, importing, and exporting.
    Policy Viewer Grants an operator read-only access to FortiDLP's policies functionality, including exporting.
    Pseudonymization perspective

    FortiDLP employs data security techniques that allow you to control whether operators see users' true or pseudonymized profiles in the FortiDLP Console. Through pseudonymized user profiles—where identifying information is either replaced with pseudonyms or hidden—you give operators the access they need to uncover risks in your organization while maintaining the strict confidentiality of users.

    See the following tables for a list of the fields that are pseudonymized (replaced with artificial data) or anonymized (redacted) in the FortiDLP Console. These fields cannot be searched to deter operators with pseudonymized access from attributing events to users when threat hunting. However, these operators can view all other event details and perform searches using all other properties, escalating threats to higher-privileged operators who can identify users and take action. Pseudonymized and anonymized data can also be added to cases, with user information only visible to operators whose accounts have been configured with the standard perspective.

    Masked user/node fields
    Field Pseudonymized Anonymized
    Name
    Email
    Department
    Title
    Manager
    Mobile phone
    Office phone
    Home address
    Office address
    Image
    Location
    Hostname
    IP address
    Wi-Fi
    Foreground application title
    Labels
    Note

    For a label's value to be pseudonymized, the Pseudonymize label toggle must be turned on. For details, see Creating custom labels.
    Masked detection fields
    Field Pseudonymized Anonymized Notes
    Description Partially redacted, masking identifying information as indicated for other fields this table
    Account name
    Destination IP
    File path Partially redacted, masking the account name within the path
    Process binary path Partially redacted, masking the account name within the path
    Process username
    Recipient email address Partially redacted, masking the local part of the address but not the domain ([Redacted]@example.com)
    Sender email address Partially redacted, masking the local part of the address but not the domain ([Redacted]@example.com)
    Source IP
    Target file path Partially redacted, masking the account name within the path
    Masked incident fields
    Field Pseudonymized Anonymized Notes
    Description Partially redacted, masking identifying information as stated in detections table
    Cluster data Partially redacted, masking the value (remote_ip:[REDACTED])

    Additional data that is anonymized for operators with pseudonymized access includes:

    • Screenshots
    • Watchlists and saved searches containing identifying properties.
    Previous
    Next

    Operator access types

    Operator access types

    Access types determine how FortiCloud operators can interact with the FortiDLP Console. Each access type represents a predefined set of permissions.

    Operators are known as users in the FortiCloud Portal, where FortiCloud accounts are created and managed. As described in FortiCloud operators, each FortiCloud user is assigned a permission profile which defines their access type.

    The following table describes the supported access types, which have been preallocated permissions based on the principle of least privilege.

    FortiCloud operator access types
    Name Description
    Admin Grants an operator read/write access to FortiDLP's administrative functionality.
    Analyst (Pseudonymized) Grants an operator pseudonymized access to FortiDLP's search functionality. For more on pseudonymization, see Pseudonymization perspective below.
    Analyst (Standard) Grants an operator access to FortiDLP's search functionality.
    Auditor Grants an operator read-only access to FortiDLP's audit log, and administrative and policy functionality, including exporting.
    Global Administrator

    Grants an operator read/write access to all of FortiDLP's functionality.

    Note

    For security purposes, you should limit use of this access type.
    Investigation Approver Grants an operator access to assign, approve, deny, and revoke scoped investigations.
    Investigator Grants an operator access to request, activate, and withdraw scoped investigations, view user/node properties and labels, and view and export policies.
    Policy Manager Grants an operator read/write access to FortiDLP's policies functionality, including creating, editing, duplicating, deleting, importing, and exporting.
    Policy Viewer Grants an operator read-only access to FortiDLP's policies functionality, including exporting.
    Pseudonymization perspective

    FortiDLP employs data security techniques that allow you to control whether operators see users' true or pseudonymized profiles in the FortiDLP Console. Through pseudonymized user profiles—where identifying information is either replaced with pseudonyms or hidden—you give operators the access they need to uncover risks in your organization while maintaining the strict confidentiality of users.

    See the following tables for a list of the fields that are pseudonymized (replaced with artificial data) or anonymized (redacted) in the FortiDLP Console. These fields cannot be searched to deter operators with pseudonymized access from attributing events to users when threat hunting. However, these operators can view all other event details and perform searches using all other properties, escalating threats to higher-privileged operators who can identify users and take action. Pseudonymized and anonymized data can also be added to cases, with user information only visible to operators whose accounts have been configured with the standard perspective.

    Masked user/node fields
    Field Pseudonymized Anonymized
    Name
    Email
    Department
    Title
    Manager
    Mobile phone
    Office phone
    Home address
    Office address
    Image
    Location
    Hostname
    IP address
    Wi-Fi
    Foreground application title
    Labels
    Note

    For a label's value to be pseudonymized, the Pseudonymize label toggle must be turned on. For details, see Creating custom labels.
    Masked detection fields
    Field Pseudonymized Anonymized Notes
    Description Partially redacted, masking identifying information as indicated for other fields this table
    Account name
    Destination IP
    File path Partially redacted, masking the account name within the path
    Process binary path Partially redacted, masking the account name within the path
    Process username
    Recipient email address Partially redacted, masking the local part of the address but not the domain ([Redacted]@example.com)
    Sender email address Partially redacted, masking the local part of the address but not the domain ([Redacted]@example.com)
    Source IP
    Target file path Partially redacted, masking the account name within the path
    Masked incident fields
    Field Pseudonymized Anonymized Notes
    Description Partially redacted, masking identifying information as stated in detections table
    Cluster data Partially redacted, masking the value (remote_ip:[REDACTED])

    Additional data that is anonymized for operators with pseudonymized access includes:

    • Screenshots
    • Watchlists and saved searches containing identifying properties.
    Previous
    Next