Fortinet white logo
Fortinet white logo

Administration Guide

Create an approval profile

Create an approval profile

To create an approval request:
  1. Go to Secret Settings > Approval Profile.
  2. Select Create to create a new approval profile.

    The New Approval Profile window opens.

  3. Enter the following information:

    Name

    The name of the approval profile.

    Number of Approval Tiers

    The number of approval tiers a secret request is processed through:

    • One (default)

    • Two

    • Three

    Minimum Permission

    From the dropdown, select the minimum secret permission required by the approver to view the secret request:

    • None (default)

    • List

    • View

    • Edit

    • Owner

    Approval Link Expiry Time

    The expiry time for the approve/deny link in the secret approval request email, in minutes (30 - 600, default = 120).

    The expiry time count starts when the email is sent.

    Remote Group Email

    Enabling ensures that members of an approver group receive email notification when an access request is sent for a secret where Requires Approval to Launch Secret (see Creating a secret) is enabled and an approval profile is selected with at least one remote user group as an approver (default = disable).

    The option appears when you select at least one remote user group in Approver Groups.

    Trust Time

    Controls how frequently the remote user needs to log in to FortiPAM to receive the approver email notification.

    Enter the number of days from the access request creation time a remote user belonging to the remote user group in Approver Groups logs in to FortiPAM (0 - 30, default = 0).

    Note: 0 means no login requirements.

    For example, when Trust Time is 5, a remote user belonging to the remote user group selected in Approver Groups must have logged in to FortiPAM at least once within five days from the access request creation time to receive the approver email notification.

    The field appears

    when Remote Group Email is enabled.

    Trust Time filters out remote users who are not disabled/removed on FortiPAM but are removed from the IdP.

    If the approving user logs in to FortiPAM before the access request expires, the user can still approve the access request, but no email notification is sent.

    Description

    Optionally, enter a description.

    Approval Email Customization

    Email Template

    Enable, and from the dropdown, select a customized email template.

    See Approval email template.

    Use the search bar to look up a custom email template.

    Customized Fields

    Enable and add text/number as fields.

    Select + to add additional fields.

    The custom fields capture additional information necessary for the approval process tailored to the specific needs of your organization.

    Select Required next to the field to make the field mandatory.

    Note: The option is disabled by default.

    Tier-1 Settings

    Tier 2 and 3 options are same as tier 1.

    Required number of Approvals

    The minimum number of approvals required.

    The number of user or user groups reviewing a secret request as part of an approval profile must be at least equal to the number of approvals required to pass the request to the next tier or approve it.

    Approvers

    Select + and from the list, select users in the Select Entries window.

    The selected users will review the secret request.

    To add a new user:
    1. From the Select Entries window, select Create.

      The New User List wizard opens.

    2. Follow the steps in Creating a user, starting step 2 to create a new user.

    Use the search bar to look up a user.

    Approver Groups

    Select + and from the list, select user groups in the Select Entries window.

    The selected user groups will review the secret request.

    To add a new user group:
    1. From the Select Entries window, select Create.

      The Create New User Group window opens.

    2. Follow the steps in Creating user groups, starting step 3.

    Use the search bar to look up a user group.

  4. Click Submit.

Create an approval profile

Create an approval profile

To create an approval request:
  1. Go to Secret Settings > Approval Profile.
  2. Select Create to create a new approval profile.

    The New Approval Profile window opens.

  3. Enter the following information:

    Name

    The name of the approval profile.

    Number of Approval Tiers

    The number of approval tiers a secret request is processed through:

    • One (default)

    • Two

    • Three

    Minimum Permission

    From the dropdown, select the minimum secret permission required by the approver to view the secret request:

    • None (default)

    • List

    • View

    • Edit

    • Owner

    Approval Link Expiry Time

    The expiry time for the approve/deny link in the secret approval request email, in minutes (30 - 600, default = 120).

    The expiry time count starts when the email is sent.

    Remote Group Email

    Enabling ensures that members of an approver group receive email notification when an access request is sent for a secret where Requires Approval to Launch Secret (see Creating a secret) is enabled and an approval profile is selected with at least one remote user group as an approver (default = disable).

    The option appears when you select at least one remote user group in Approver Groups.

    Trust Time

    Controls how frequently the remote user needs to log in to FortiPAM to receive the approver email notification.

    Enter the number of days from the access request creation time a remote user belonging to the remote user group in Approver Groups logs in to FortiPAM (0 - 30, default = 0).

    Note: 0 means no login requirements.

    For example, when Trust Time is 5, a remote user belonging to the remote user group selected in Approver Groups must have logged in to FortiPAM at least once within five days from the access request creation time to receive the approver email notification.

    The field appears

    when Remote Group Email is enabled.

    Trust Time filters out remote users who are not disabled/removed on FortiPAM but are removed from the IdP.

    If the approving user logs in to FortiPAM before the access request expires, the user can still approve the access request, but no email notification is sent.

    Description

    Optionally, enter a description.

    Approval Email Customization

    Email Template

    Enable, and from the dropdown, select a customized email template.

    See Approval email template.

    Use the search bar to look up a custom email template.

    Customized Fields

    Enable and add text/number as fields.

    Select + to add additional fields.

    The custom fields capture additional information necessary for the approval process tailored to the specific needs of your organization.

    Select Required next to the field to make the field mandatory.

    Note: The option is disabled by default.

    Tier-1 Settings

    Tier 2 and 3 options are same as tier 1.

    Required number of Approvals

    The minimum number of approvals required.

    The number of user or user groups reviewing a secret request as part of an approval profile must be at least equal to the number of approvals required to pass the request to the next tier or approve it.

    Approvers

    Select + and from the list, select users in the Select Entries window.

    The selected users will review the secret request.

    To add a new user:
    1. From the Select Entries window, select Create.

      The New User List wizard opens.

    2. Follow the steps in Creating a user, starting step 2 to create a new user.

    Use the search bar to look up a user.

    Approver Groups

    Select + and from the list, select user groups in the Select Entries window.

    The selected user groups will review the secret request.

    To add a new user group:
    1. From the Select Entries window, select Create.

      The Create New User Group window opens.

    2. Follow the steps in Creating user groups, starting step 3.

    Use the search bar to look up a user group.

  4. Click Submit.