Operator roles
Roles are assigned to operator accounts and API access tokens, and determine how operators can interact with the FortiDLP Console and FortiDLP API. Each role represents a predefined set of permissions.
FortiDLP provides fine-grained permissions, giving you maximum flexibility when creating custom operator roles for your organization. To save you time, built-in roles are also available which have been preallocated permissions based on the principle of least privilege.
The following table describes all supported permissions. The permissions available to you may vary depending on the features enabled for your tenant.
| Group | Permission | Enables an operator to ... | ||
|---|---|---|---|---|
| Access tokens | Can create access tokens |
Generate API access tokens.
|
||
| Can read access tokens | View API access tokens. | |||
| Can revoke access tokens | Revoke API access tokens. | |||
| Actions | Can read available action settings and current live active actions | View a list of available actions. | ||
| Can perform actions | Execute actions. | |||
| Can delete action content | Delete files created by action events, such as screenshots, shadow copies, debug bundles, and performance reports. | |||
| Can search on action events | View action events. | |||
|
Agent management
|
Can revoke agents |
Revoke Agents' access to the FortiDLP Infrastructure. |
||
| Can read agent enrollment bundles | View Agent enrollment bundles. | |||
| Can create agent enrollment bundles | Generate Agent enrollment bundles. | |||
| Can revoke agent enrollment bundles | Revoke Agent enrollment bundles. | |||
| Can upload agent update archive | Upload Agent upgrade packages to the FortiDLP Infrastructure. | |||
| Can read agent configuration | View Agent configuration settings. | |||
| Can edit agent configuration | Edit Agent configuration settings. | |||
| Can assign/unassign labels | Assign and remove Agent labels. | |||
| Can read agent auto-archive configuration | View Agent auto-archive configuration settings. | |||
| Can edit agent auto-archive configuration | Edit Agent auto-archive configuration settings. | |||
| Can manually archive/unarchive agents | Manually archive/unarchive Agents. | |||
| Can change suppression status of agent components | Suppress/unsuppress Agent components. | |||
|
Can delete archived agents |
Delete archived Agents. |
|||
| Agent policies | Can read agent policy templates | View policy templates. | ||
| Can edit agent policy templates | Import policy template bundles and policy groups, and delete policy template bundles. | |||
| Can read agent policies | View policy groups and policies. | |||
| Can edit agent policies | Create, edit, delete, and publish policy groups, and create, edit, and delete policies. | |||
| Can read data objects | View uploaded policy assets. | |||
| Can edit data objects | Upload or delete policy assets. | |||
| Can export agent policy groups | Export policy groups. | |||
| Can import agent policy groups | Import policy groups. | |||
| Banners | Can edit login banners | Enable and disable login banner messages. | ||
| Cases | Can read cases | View cases. | ||
| Can edit cases | Edit cases. | |||
| Classifications | Can read classifications |
View classifications. This feature is under development. |
||
| Can read agent classifications |
View classifications assigned to Agents. This feature is under development. |
|||
| Can edit agent classifications |
Assign and remove Agent classifications. This feature is under development. |
|||
| Dashboards | Can edit dashboards | Edit Dashboard module widgets. | ||
| Email notifications | Can read email configuration | View incident email notification subscription settings. | ||
| Can edit email configuration | Create, edit, disable, and delete incident email notification subscriptions. | |||
| Entra ID | Can edit Entra ID configurations | Edit Entra ID configuration settings. | ||
| Can read Entra ID configurations | View Entra ID configuration settings. | |||
| Can sync Entra ID configurations | Sync Entra ID directories. | |||
| File shadowing | Can read file shadowing configuration | View file shadowing configuration settings. | ||
| Can edit file shadowing configuration | Edit file shadowing configuration settings. | |||
| Can download file shadowing evidence | Download the FortiDLP Decryption Tool and shadow copies from the FortiDLP Console. | |||
|
Google Directory
|
Can read Google directory configuration |
View Google directory configuration settings. |
||
|
Can edit Google directory configuration |
Edit Google directory configuration settings. |
|||
|
Can sync Google directory |
Sync Google directories. |
|||
| Incidents | Can change incidents status | Resolve/reopen incidents. | ||
| Integrations | Can read integration configuration | View integration configuration settings. | ||
| Can edit integration configuration | Edit integration configuration settings. | |||
| Can sync saas drive labels | Sync Google Drive and Microsoft sensitivity labels to FortiDLP. | |||
| Can read saas connector configuration | View Google Drive and OneDrive cloud connector configuration settings. | |||
| Can edit saas connector configuration | Edit Google Drive and OneDrive cloud connector configuration settings. | |||
| LDAP | Can create LDAP configuration | Create a new LDAP configuration entry. (Deprecated) | ||
| Can edit LDAP configuration | Edit LDAP configuration settings. (Deprecated) | |||
| Can read LDAP configuration | View LDAP configuration settings. | |||
| Can delete LDAP configuration | Delete LDAP configuration settings. (Deprecated) | |||
| Can sync LDAP | Sync users from LDAP directories. (Deprecated) | |||
| Can set the LDAP sync status for a configuration | Configure and sync users from LDAP directories. | |||
| Can read LDAP sync status for a configuration | View LDAP directory sync results if a remote configuration is used. | |||
| Labels | Can read labels | View all label types. | ||
| Can edit labels | Manage all label types. | |||
| Logging | Can access logs | View the FortiDLP Infrastructure logs. | ||
| Can read audit logs | View the Audit log. | |||
| Can export audit logs | Export the Audit log to a TXT file. | |||
| Can clear the audit log | Delete all Audit log entries. | |||
| Machine learning | Can read machine learning configuration | View machine learning (behavioral analytics) configuration settings. | ||
| Can edit machine learning configuration | Edit machine learning (behavioral analytics) configuration settings. | |||
| Operators | Can read operators | View internal operator accounts. | ||
| Can create operators |
Create internal operator accounts.
|
|||
| Can edit operators |
Edit internal operator accounts.
|
|||
| Can delete operators | Delete internal operator accounts. | |||
| Can read operator roles | View operator roles. | |||
| Can create operator roles | Create operator roles. | |||
| Can edit operator roles | Edit operator roles. | |||
| Can delete operator roles | Delete operator roles. | |||
| Can read operator sessions | View operator web sessions. | |||
| Can logout operator sessions | Terminate operator web sessions. | |||
| Perspectives | Can read perspectives | View perspective configuration settings. | ||
| Can edit perspectives | Edit perspective configuration settings. | |||
| SaaS applications | Can search the SaaS application inventory | Perform search queries in the SaaS app inventory. | ||
| Can manage the SaaS application inventory | Set SaaS app verdicts and risk scores, and view and add SaaS apps. | |||
| SAML | Can read SAML configuration | View SAML configuration settings. | ||
| Can edit SAML configuration | Edit SAML configuration settings. | |||
| SIEM integrations | Can edit SIEM integrations | Create, edit, and delete event streams. | ||
| Can read SIEM integrations | View event stream configurations. | |||
| Can read SIEM events | Obtain events from an event stream. | |||
| SMTP | Can read SMTP configuration | View SMTP configuration settings. | ||
| Can edit SMTP configuration | Edit SMTP configuration settings. | |||
| Scoped investigations | Can read scoped investigation requests | View scoped investigation requests. | ||
| Can edit scoped investigation requests | Approve, deny, revoke, and assign scoped investigation requests. | |||
| Can request and use scoped investigations | Create and withdraw scoped investigation requests, and conduct scoped investigations. | |||
| Search | Can read saved searches | View saved searches. | ||
| Can edit saved searches | Create, edit, and delete saved searches. | |||
| Can export search results | Export searches. | |||
| Can search agents | Search for nodes. | |||
| Can search events | Search for events and detections. | |||
| Can search users | Search for users. | |||
| Can search incidents | Search for incidents. | |||
| Sensors | Can create sensors via the API | Create detections using the FortiDLP API. This is achieved by sending a POST request to /api/v1/sensors. |
||
| Storage | Can read quota configuration | View the warning threshold configuration settings for the number of allowed Agents. | ||
| Can edit quota configuration | Edit the warning threshold configuration settings for the number of allowed Agents. | |||
| Can read agent crash reports | Download Agent crash reports. | |||
| Can delete agent crash reports | Delete Agent crash reports. | |||
| Supporting operators | Can read supporting operator access | View FortiDLP supporting operator access requests. | ||
| Can manage supporting operator access |
Approve, deny, and revoke FortiDLP supporting operator access requests.
|
|||
| Users | Can create users | Create users using the FortiDLP API. | ||
| Can upload user photo | Upload users' profile pictures. | |||
| Can edit user labels | Edit users' labels. | |||
| Can change user state | Archive and unarchive users. | |||
| Can delete users | Permanently delete user information. | |||
| Can read user archive config | View user auto-archiving rules. | |||
| Can edit user archive config | Edit user auto-archiving rules. | |||
| Webhooks | Can read webhooks | View webhooks. | ||
| Can edit webhooks | Create, edit, and delete webhooks. | |||
|
XTND |
Can generate XTND cases reports |
Use the XTND AI-powered assistant in the Cases module. |
The next table describes the built-in operator roles FortiDLP provides. It also details an internal role that cannot be manually assigned to operator accounts, but is used by FortiDLP. You can view the specific permissions allocated to each role on the Roles page of the FortiDLP Console.
| Role | Description | ||
|---|---|---|---|
| Built-in/Administrator | A preconfigured role that grants an operator read/write access to FortiDLP's administrative functionality. | ||
| Built-in/Analyst (Standard) | A preconfigured role that grants an operator access to FortiDLP's search functionality. | ||
| Built-in/Analyst (Pseudonymized) | A preconfigured role that grants an operator pseudonymized access to FortiDLP's search functionality. For more on pseudonymization, see Pseudonymization perspective. | ||
| Built-in/Auditor | A preconfigured role that grants an operator read-only access to FortiDLP's audit log, and administrative and policy functionality, including exporting. | ||
| Built-in/Global Administrator |
A preconfigured role that grants an operator read/write access to all of FortiDLP's functionality.
|
||
| Built-in/Investigation Approver | A preconfigured role that allows an operator to assign, approve, deny, and revoke scoped investigations. | ||
| Built-in/Investigator | A preconfigured role that allows an operator to request, activate, and withdraw scoped investigations, view user/node properties and labels, and view and export policies. | ||
| Built-in/LDAP Sync Tool | A preconfigured role that enables LDAP directory syncs to be performed using the LDAP Sync Tool. | ||
| Built-in/Policy manager | A preconfigured role that grants an operator read/write access to FortiDLP's policy functionality, including creating, editing, duplicating, deleting, importing, and exporting. | ||
| Built-in/Policy viewer | A preconfigured role that grants an operator read-only access to FortiDLP's policy functionality, including exporting. | ||
| Built-in/SIEM integration | A preconfigured role that enables a third-party SIEM tool to access a FortiDLP event stream. |
Pseudonymization perspective
FortiDLP employs data security techniques that allow you to control whether operators see users' true or pseudonymized profiles in the FortiDLP Console. Through pseudonymized user profiles—where identifying information is either replaced with pseudonyms or hidden—you give operators the access they need to uncover risks in your organization while maintaining the strict confidentiality of users.
This feature is enabled by assigning operator accounts roles with the pseudonymization perspective. See the following tables for a list of the fields that are pseudonymized (replaced with artificial data) or anonymized (redacted) in the FortiDLP Console. These fields cannot be searched to deter operators with pseudonymized access from attributing events to users when threat hunting. However, these operators can view all other event details and perform searches using all other properties, escalating threats to higher-privileged operators who can identify users and take action. Pseudonymized and anonymized data can also be added to cases, with user information only visible to operators whose accounts have been configured with the standard perspective.
| Field | Pseudonymized | Anonymized |
|---|---|---|
| Name | ✓ | |
| ✓ | ||
| Department | ✓ | |
| Title | ✓ | |
| Manager | ✓ | |
| Mobile phone | ✓ | |
| Office phone | ✓ | |
| Home address | ✓ | |
| Office address | ✓ | |
| Image | ✓ | |
| Location | ✓ | |
| Hostname | ✓ | |
| IP address | ✓ | |
| Wi-Fi | ✓ | |
| Foreground application title | ✓ | |
| Labels | ✓ |
|
For a label's value to be pseudonymized, the Pseudonymize label toggle must be turned on. For details, see Creating custom labels. |
| Field | Pseudonymized | Anonymized | Notes |
|---|---|---|---|
| Description | ✓ | Partially redacted, masking identifying information as indicated for other fields this table | |
| Account name | ✓ | ||
| Destination IP | ✓ | ||
| File path | ✓ | Partially redacted, masking the account name within the path | |
| Process binary path | ✓ | Partially redacted, masking the account name within the path | |
| Process username | ✓ | ||
| Recipient email address | ✓ | Partially redacted, masking the local part of the address but not the domain ([Redacted]@example.com) |
|
| Sender email address | ✓ | Partially redacted, masking the local part of the address but not the domain ([Redacted]@example.com) |
|
| Source IP | ✓ | ||
| Target file path |
✓ |
Partially redacted, masking the account name within the path |
| Field | Pseudonymized | Anonymized | Notes |
|---|---|---|---|
| Description | ✓ | Partially redacted, masking identifying information as stated in detections table | |
| Cluster data | ✓ | Partially redacted, masking the value (remote_ip:[REDACTED]) |
Additional data that is anonymized for operators with pseudonymized access includes:
- Screenshots
- Watchlists and saved searches containing identifying properties.
|
Ensure the following permissions are NOT allocated to operator accounts you wish to have pseudonymized access:
Further, webhooks configured using the JSON payload format may send PII within detection metadata and process information fields despite pseudonymization being enabled. Additionally, non-pseudonymized operators must ensure they do not paste Personally Identifiable Information (PII) and screenshots including PII into cases, as this will be visible to operators who have pseudonymized access. |