Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    User archiving and deleting

    User archiving and deleting

    You can archive or delete users to focus on just those that are relevant—such as users with nodes communicating with FortiDLP.

    Archived users

    When you archive a user, you hide them from the Users and Nodes modules and from a node’s Associated users list across the FortiDLP Console, but you can still search for their events.

    FortiDLP provides automatic and manual archiving functionality to hide certain users from parts of the FortiDLP Console.

    • Auto-archiving: There are three auto-archiving rules available.
      • Auto-archive inactive users pending enrollment: Archive a user that has been synced to Reveal but is not associated with an enrolled node within a set time limit.
      • Auto-archive inactive users: Archive a user if an associated node does not send a heartbeat to Reveal within a set time limit.
      • Auto-archive directory-deleted users: Archive a user if they have been deleted from an LDAP or Entra ID directory and the directory is subsequently synced to FortiDLP.
        Note

        To enable this rule for your LDAP directory, see Creating the configuration file or Using command-line flags in the FortiDLPLDAP Sync Tool Administration Guide.

        To enable this rule for your Entra ID directory, see Auto-archiving Entra ID directory-deleted users.

        To enable this rule for your Google Workspace directory, see Auto-archiving Google Workspace directory-deleted users .

    • Manual archiving: You can manually exclude users from the FortiDLP Console for any reason via the Users module.

    Archived users can be automatically or manually unarchived.

    • Auto-unarchiving: There are three ways that a user can be automatically unarchived.
      • Auto-unarchiving via node heartbeats: If a user has been auto-archived for any reason or manually archived via the Users module, a heartbeat sent from an associated node will auto-unarchive them.
      • Auto-unarchiving directory-deleted users: If a user has been auto-archived due to being deleted from a directory sync but is then included in a subsequent sync, they will be auto-unarchived.
      • Auto-unarchiving restored users: If a deleted user has been restored and is then included in a directory sync, they will be auto-unarchived. For information about restored deleted users, see the section below.
    • Manual unarchiving: You can manually unarchive a user via the Users module. For more information, see Manually archiving and unarchiving users.
    Deleted users

    You can manually delete a user in the Users module for any reason, for example, to remove a user's personal information when they leave your company.

    When you delete a user, you remove their directory information and labels. Additionally, you remove all references to the user, such as where they are associated with events, detections, incidents, and nodes. To indicate a user was historically associated with an event, the text "[DELETED]" will replace the user's details.

    A deleted user can be manually restored via the api/v1/admin/users/restore FortiDLP API endpoint. Once they are restored, they will be set to the state "Archived (never enrolled)", and they then need to be re-synced to FortiDLP so that they will be unarchived and re-associated with their events.

    User states

    It is important to note that a user will be shown with one of the following states in the FortiDLP Console. Most states can transition to other states (see User state transitions for details).

    User states
    State Set by DESCRIPTION
    Pending enrollment Directory sync

    The user has been synced to FortiDLP but is not associated with an enrolled node.
    Active Node activity

    The user has been automatically set to this state because FortiDLP has received a heartbeat from a node associated with the user.
    Always active Operator

    The user has been manually unarchived or manually prevented from being auto-archived.

    The user cannot be auto-archived.
    Archived Auto-archive rule or operator

    The user has been:

    • auto-archived because an associated node has not recently sent a heartbeat to Reveal
    • auto-archived because they have been deleted from an LDAP or Entra ID directory, or
    • manually archived.

    The user can automatically be set to "Active" if an associated node sends a heartbeat to FortiDLP.
    Archived (never enrolled) Auto-archive rule

    The user has been:

    • auto-archived because they have been deleted from an LDAP or Entra ID directory or
    • set to this state because they have been manually restored via the FortiDLP API after being deleted.

    The user can automatically be set to "Active" if they become associated with an enrolled node.
    Always archived Operator

    The user has been manually archived via the FortiDLP API.

    The user cannot automatically be set to "Active" if an associated node sends a heartbeat to FortiDLP.

    Note

    Users can only be set to "Always archived" by executing a POST request to the /api/v2/users/stateFortiDLP API endpoint.

    A user set to this state can only be manually changed using the FortiDLP API or manually unarchived in the FortiDLP Console. This state should be used with caution.

    Deleted Operator

    The user has been removed from the FortiDLP Console.
    Tooltip

    To search for users by their state, in the Users module's search bar, enter a query such as state = pending_entrollment and expose the State column in the table. For more information about the Users module, see Users.
    Note

    If a user is set to "Always active" or "Always archived", no automatic states can subsequently be set for that user by an auto-archive rule or node activity.

    User and node states are independent of each other. For information on the different states a node can be set to, see Node archiving.
    Previous
    Next

    User archiving and deleting

    User archiving and deleting

    You can archive or delete users to focus on just those that are relevant—such as users with nodes communicating with FortiDLP.

    Archived users

    When you archive a user, you hide them from the Users and Nodes modules and from a node’s Associated users list across the FortiDLP Console, but you can still search for their events.

    FortiDLP provides automatic and manual archiving functionality to hide certain users from parts of the FortiDLP Console.

    • Auto-archiving: There are three auto-archiving rules available.
      • Auto-archive inactive users pending enrollment: Archive a user that has been synced to Reveal but is not associated with an enrolled node within a set time limit.
      • Auto-archive inactive users: Archive a user if an associated node does not send a heartbeat to Reveal within a set time limit.
      • Auto-archive directory-deleted users: Archive a user if they have been deleted from an LDAP or Entra ID directory and the directory is subsequently synced to FortiDLP.
        Note

        To enable this rule for your LDAP directory, see Creating the configuration file or Using command-line flags in the FortiDLPLDAP Sync Tool Administration Guide.

        To enable this rule for your Entra ID directory, see Auto-archiving Entra ID directory-deleted users.

        To enable this rule for your Google Workspace directory, see Auto-archiving Google Workspace directory-deleted users .

    • Manual archiving: You can manually exclude users from the FortiDLP Console for any reason via the Users module.

    Archived users can be automatically or manually unarchived.

    • Auto-unarchiving: There are three ways that a user can be automatically unarchived.
      • Auto-unarchiving via node heartbeats: If a user has been auto-archived for any reason or manually archived via the Users module, a heartbeat sent from an associated node will auto-unarchive them.
      • Auto-unarchiving directory-deleted users: If a user has been auto-archived due to being deleted from a directory sync but is then included in a subsequent sync, they will be auto-unarchived.
      • Auto-unarchiving restored users: If a deleted user has been restored and is then included in a directory sync, they will be auto-unarchived. For information about restored deleted users, see the section below.
    • Manual unarchiving: You can manually unarchive a user via the Users module. For more information, see Manually archiving and unarchiving users.
    Deleted users

    You can manually delete a user in the Users module for any reason, for example, to remove a user's personal information when they leave your company.

    When you delete a user, you remove their directory information and labels. Additionally, you remove all references to the user, such as where they are associated with events, detections, incidents, and nodes. To indicate a user was historically associated with an event, the text "[DELETED]" will replace the user's details.

    A deleted user can be manually restored via the api/v1/admin/users/restore FortiDLP API endpoint. Once they are restored, they will be set to the state "Archived (never enrolled)", and they then need to be re-synced to FortiDLP so that they will be unarchived and re-associated with their events.

    User states

    It is important to note that a user will be shown with one of the following states in the FortiDLP Console. Most states can transition to other states (see User state transitions for details).

    User states
    State Set by DESCRIPTION
    Pending enrollment Directory sync

    The user has been synced to FortiDLP but is not associated with an enrolled node.
    Active Node activity

    The user has been automatically set to this state because FortiDLP has received a heartbeat from a node associated with the user.
    Always active Operator

    The user has been manually unarchived or manually prevented from being auto-archived.

    The user cannot be auto-archived.
    Archived Auto-archive rule or operator

    The user has been:

    • auto-archived because an associated node has not recently sent a heartbeat to Reveal
    • auto-archived because they have been deleted from an LDAP or Entra ID directory, or
    • manually archived.

    The user can automatically be set to "Active" if an associated node sends a heartbeat to FortiDLP.
    Archived (never enrolled) Auto-archive rule

    The user has been:

    • auto-archived because they have been deleted from an LDAP or Entra ID directory or
    • set to this state because they have been manually restored via the FortiDLP API after being deleted.

    The user can automatically be set to "Active" if they become associated with an enrolled node.
    Always archived Operator

    The user has been manually archived via the FortiDLP API.

    The user cannot automatically be set to "Active" if an associated node sends a heartbeat to FortiDLP.

    Note

    Users can only be set to "Always archived" by executing a POST request to the /api/v2/users/stateFortiDLP API endpoint.

    A user set to this state can only be manually changed using the FortiDLP API or manually unarchived in the FortiDLP Console. This state should be used with caution.

    Deleted Operator

    The user has been removed from the FortiDLP Console.
    Tooltip

    To search for users by their state, in the Users module's search bar, enter a query such as state = pending_entrollment and expose the State column in the table. For more information about the Users module, see Users.
    Note

    If a user is set to "Always active" or "Always archived", no automatic states can subsequently be set for that user by an auto-archive rule or node activity.

    User and node states are independent of each other. For information on the different states a node can be set to, see Node archiving.
    Previous
    Next