Configuration workflow
The workflow for configuring FortiCloud Identity Access & Management (IAM) users and organization units (OU) and using the managed security service provider (MSSP) portal is as follows:
- Using the FortiCloud Organization portal:
- Enable organizations. See Enabling Organizations.
- Create an organization. See Creating an organization.
- Add one or more OUs. See Adding and deleting OUs.
- Add accounts to OUs by doing one of the following:
- Invite FortiCloud accounts to join OUs. See Invitations and Creating invitation tokens. Then approve invitations to FortiCloud accounts. See Invitation Approval for details.
Create new member accounts linked to a real email address or a new placeholder email address generated at the same time as the member account. See Creating new Member Accounts.
- Using the FortiCloud IAM portal:
- Set up a resource-based permission profile allowing IAM users to access FortiSASE as a portal. Permission control is global to the FortiSASE portal and provides the following roles for each resource:
- No access
- Read/write access
- Read-only access
The FortiSASE portal has the following resource categories:
Resource Provide control over... User & Authentication User and authentication related settings. Policy VPN, SWG, and SPA policies. Logging Logging and reports features. Monitoring Monitoring features including FortiView, Digital Experience Monitoring, Managed Endpoints, and other monitor widgets. Dashboards Dashboard features. Network Network features including edge devices, SPA, DNS, hosts, services, and feeds. System System settings. Security Security profile groups and security features. Endpoint Management Endpoint profiles and ZTNA settings. Infrastructure FortiSASE provisioning. - Configure IAM users. See Creating users, user groups, and roles within Organizations and Adding IAM users.
- Set up a resource-based permission profile allowing IAM users to access FortiSASE as a portal. Permission control is global to the FortiSASE portal and provides the following roles for each resource:
- From the FortiSASE portal:
- When an IAM user logs in to FortiSASE for the first time, there are some preliminary steps to complete to validate the new IAM user. See Validating new IAM users.
- Access the MSSP portal using an IAM user corresponding to the root account. See Accessing the MSSP portal.
- Monitor tenants’ FortiSASE instances. See Monitoring a tenant's instance.
- Manage tenants’ FortiSASE instances. See Managing a tenant's instance.
For initially provisioning a tenant's FortiSASE instance, you can use one of the following approaches:
- By directly logging in to the FortiSASE portal, the customer's tenant administrator can provision the instance themselves.
- From the MSSP portal, the MSSP operations team with administrator access to the tenant can provision the instance and preconfigure it on behalf of the tenant.
For details on configuring FortiCloud OUs and adding FortiCloud accounts to OUs, see Organization Portal.
For details on creating new member accounts and managing them, see Creating new Member Accounts and Managing Member Accounts.
For details on configuring FortiCloud IAM users and permission profiles, see Identity & Access Management (IAM).
When configuring IAM users for an organization, you typically configure the user type as Organization with a Permission Scope configured to an organization unit (OU) or sub-OU. These users can access the MSSP portal. IAM users where the user type is configured as Local can directly access the FortiSASE portal into a specific tenant’s instance. However, they cannot access the MSSP portal. |
When new member accounts with new placeholder email addresses, also known as placeholder accounts, have been added to sub-OUs, administrators of these sub-OUs can provision new instances associated with these placeholder accounts from the MSSP portal |