Fortinet black logo

Cloud Deployment

24.1.4436
24.1.4436
23.4.4374
23.4.4367
23.4.4350
23.3.4329
23.3.4260
23.1.4245
22.2.4134
22.1.4113
21.4.4072
21.4.4072
21.3.4055
20.3.0

Setting up multiple PaaS

Setting up multiple PaaS

Prerequisites

The Organization Portal full functionality requires a valid FortiCloud Premium contract in the Root account.

Setup Organizational Units (OU)

When you create an Organization, your account becomes the Root Account for the organization. Users with the proper permissions can add Organizational Units (OU) and invite members to join the organization.

Note

The Organization Portal must first be enabled by the Master User. See Enabling Organizations in the Identity & Access Management (IAM) Guide.

Create Organizational Units (OU) and subOU

Organizational Units (OU) are folders for organizing your accounts. You can create a maximum of three levels of OUs to build the structure of your organization. Users with the proper permissions can move Member Accounts between OUs, remove accounts from the organization, edit the organization details, move the OU, or delete it.

To create organizational units:
  1. In the Organization Portal (https://support.fortinet.com/organizations/), click Create Organization. See Creating an organization
  2. Create Organizational Units (OU) and SubOU. See Adding and deleting OUs
  3. Create Member Accounts under different Organizational Units (OU). See Creating new Member Accounts.

Invitations

Invitation tokens are a secure method of inviting Member Accounts to join your organization. the Root Account for the organization can generate a token and then distribute it via SMS, Teams, or Slack. After a Member Account replies to the invitation, the root account can verify the invitation and accept or decline the response.

Creating invitation tokens

  1. Log into the Organization Portal (https://support.fortinet.com/organizations/) as Root Account (e.g. Fortinet Email LDAP account) to create invitation token for each SubOU. See Creating invitation tokens.
    Note

    We recommend generating a separate token for each SubOU.

  2. After the invitation tokens are created, click Download to save it to your computer as an Excel file.
  3. Send the invitation token and the link to the Organization Portal (https://support.fortinet.com/organizations/) to the Member Account master users. You can share the Organization Portal link by copying the URL from your browser.
To approve the invitation:
  1. After receiving the valid invitation token, the Member Account user goes to the Organization Portal (https://support.fortinet.com/organizations/), and clicks Join Organization with the invitation token. See Joining an organization.
  2. The Root Account approves the invitation after the member account user joins the organization. See Invitation Approval.

Organization user management

Advanced management features are available when using organizations. An Organization and Organizational Units can be created in the Organization portal and are used to enhance your company's security.

IAM users, user groups, and so on can be created and associated with Organizational Units and OU accounts with the proper permissions. If you are using OUs to organize your company, you will need to create permission profiles that reflect this hierarchy so that the necessary users, user groups, and roles can be assigned. For more information, see Organization user management.

After the Master User creates the organization, they can create an IAM user with the same level of permissions. The IAM user can be used to create other IAM users and delegate their permissions. For more information, see the Identity & Access Management (IAM) Administration Guide and User permissions.

To create an IAM permission profile:
  1. Create a permission profile. See Permission profiles within Organizations.
  2. Make sure to select Organization as the profile type. Once the permission profile is saved, the type cannot be edited.

  3. Click Add Portal. Add the following portals with a minimum of Read-Only the access type. Admin access of FortiSandbox PaaS Cloud Portal is required for provision FSA PaaS.

    • Asset Management

    • FortiCare

    • IAM

    • FortiSandbox Cloud
  4. Repeat the steps above to create different IAM permission profiles for different OU scopes or member account users.
To create an IAM user group
  1. Create an IAM user group. See Adding an IAM user group.
  2. Ensure the IAM user group type is associated with OU.
    1. From the Type dropdown, select Organization.
    2. From the Permission Scope dropdown, select an OU created in the previous step.
    3. From the Permission Profile dropdown, select the permission profile created in the previous step for the selected OU.

  3. Skip add IAM user. Repeat the steps above to create different IAM user groups for different OU scopes or member account users.
To create an IAM user:
  1. Add a new IAM user. See Creating users, user groups, and roles within Organizations.
  2. Ensure the IAM user type is associated with an OU.
    1. From the Type dropdown, select Organization.
    2. From the Permission Scope dropdown, select an OU created in previous step.
    3. From the Permission Profile dropdown, select the permission profile created in previous step for the selected OU.
  3. From the Permission Scope dropdown, select the permission to associate with an OU or a member account.
  4. From the Permissions Profile dropdown, select the profile created for the selected OU or member account.
  5. Associate the IAM user to the IAM user group.
  6. Repeat the steps above to create different IAM users for different OU scopes or member account users.

Setup FSA PaaS

Users can access FortiCloud using IAM user accounts or an OU account when logging in with their IAM user credentials. Once the login credentials have been verified, users can then choose to proceed with an Organizational Unit (OU) account. OU access is dependent on the permission profile assigned to your login credentials. Available OUs and member accounts will turn blue when hovered over and display the Select button.

OU account login
  1. OU member account user log into the FortiSandbox PaaS Cloud portal (https://fortisandboxcloud.com/) with the invitation token. See Logging into an OU account

  2. Select the Organization scope and then select the assigned OU or account for having access.

IAM OU account login
  1. IAM user logs into the FortiSandbox PaaS Cloud portal (https://fortisandboxcloud.com/) via IAM login.

  2. The Root Account manages the Account ID/Alias. the Root account ID is the Account ID for IAM users by default.
  3. Select the Organization scope and then select the assigned OU or account for having access.
Previous
Next

Setting up multiple PaaS

Prerequisites

The Organization Portal full functionality requires a valid FortiCloud Premium contract in the Root account.

Setup Organizational Units (OU)

When you create an Organization, your account becomes the Root Account for the organization. Users with the proper permissions can add Organizational Units (OU) and invite members to join the organization.

Note

The Organization Portal must first be enabled by the Master User. See Enabling Organizations in the Identity & Access Management (IAM) Guide.

Create Organizational Units (OU) and subOU

Organizational Units (OU) are folders for organizing your accounts. You can create a maximum of three levels of OUs to build the structure of your organization. Users with the proper permissions can move Member Accounts between OUs, remove accounts from the organization, edit the organization details, move the OU, or delete it.

To create organizational units:
  1. In the Organization Portal (https://support.fortinet.com/organizations/), click Create Organization. See Creating an organization
  2. Create Organizational Units (OU) and SubOU. See Adding and deleting OUs
  3. Create Member Accounts under different Organizational Units (OU). See Creating new Member Accounts.

Invitations

Invitation tokens are a secure method of inviting Member Accounts to join your organization. the Root Account for the organization can generate a token and then distribute it via SMS, Teams, or Slack. After a Member Account replies to the invitation, the root account can verify the invitation and accept or decline the response.

Creating invitation tokens

  1. Log into the Organization Portal (https://support.fortinet.com/organizations/) as Root Account (e.g. Fortinet Email LDAP account) to create invitation token for each SubOU. See Creating invitation tokens.
    Note

    We recommend generating a separate token for each SubOU.

  2. After the invitation tokens are created, click Download to save it to your computer as an Excel file.
  3. Send the invitation token and the link to the Organization Portal (https://support.fortinet.com/organizations/) to the Member Account master users. You can share the Organization Portal link by copying the URL from your browser.
To approve the invitation:
  1. After receiving the valid invitation token, the Member Account user goes to the Organization Portal (https://support.fortinet.com/organizations/), and clicks Join Organization with the invitation token. See Joining an organization.
  2. The Root Account approves the invitation after the member account user joins the organization. See Invitation Approval.

Organization user management

Advanced management features are available when using organizations. An Organization and Organizational Units can be created in the Organization portal and are used to enhance your company's security.

IAM users, user groups, and so on can be created and associated with Organizational Units and OU accounts with the proper permissions. If you are using OUs to organize your company, you will need to create permission profiles that reflect this hierarchy so that the necessary users, user groups, and roles can be assigned. For more information, see Organization user management.

After the Master User creates the organization, they can create an IAM user with the same level of permissions. The IAM user can be used to create other IAM users and delegate their permissions. For more information, see the Identity & Access Management (IAM) Administration Guide and User permissions.

To create an IAM permission profile:
  1. Create a permission profile. See Permission profiles within Organizations.
  2. Make sure to select Organization as the profile type. Once the permission profile is saved, the type cannot be edited.

  3. Click Add Portal. Add the following portals with a minimum of Read-Only the access type. Admin access of FortiSandbox PaaS Cloud Portal is required for provision FSA PaaS.

    • Asset Management

    • FortiCare

    • IAM

    • FortiSandbox Cloud
  4. Repeat the steps above to create different IAM permission profiles for different OU scopes or member account users.
To create an IAM user group
  1. Create an IAM user group. See Adding an IAM user group.
  2. Ensure the IAM user group type is associated with OU.
    1. From the Type dropdown, select Organization.
    2. From the Permission Scope dropdown, select an OU created in the previous step.
    3. From the Permission Profile dropdown, select the permission profile created in the previous step for the selected OU.

  3. Skip add IAM user. Repeat the steps above to create different IAM user groups for different OU scopes or member account users.
To create an IAM user:
  1. Add a new IAM user. See Creating users, user groups, and roles within Organizations.
  2. Ensure the IAM user type is associated with an OU.
    1. From the Type dropdown, select Organization.
    2. From the Permission Scope dropdown, select an OU created in previous step.
    3. From the Permission Profile dropdown, select the permission profile created in previous step for the selected OU.
  3. From the Permission Scope dropdown, select the permission to associate with an OU or a member account.
  4. From the Permissions Profile dropdown, select the profile created for the selected OU or member account.
  5. Associate the IAM user to the IAM user group.
  6. Repeat the steps above to create different IAM users for different OU scopes or member account users.

Setup FSA PaaS

Users can access FortiCloud using IAM user accounts or an OU account when logging in with their IAM user credentials. Once the login credentials have been verified, users can then choose to proceed with an Organizational Unit (OU) account. OU access is dependent on the permission profile assigned to your login credentials. Available OUs and member accounts will turn blue when hovered over and display the Select button.

OU account login
  1. OU member account user log into the FortiSandbox PaaS Cloud portal (https://fortisandboxcloud.com/) with the invitation token. See Logging into an OU account

  2. Select the Organization scope and then select the assigned OU or account for having access.

IAM OU account login
  1. IAM user logs into the FortiSandbox PaaS Cloud portal (https://fortisandboxcloud.com/) via IAM login.

  2. The Root Account manages the Account ID/Alias. the Root account ID is the Account ID for IAM users by default.
  3. Select the Organization scope and then select the assigned OU or account for having access.
Previous
Next