Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Multi-Tenant FortiSASE Deployment for MSSP using OU

    Home FortiSASE Multi-Tenant FortiSASE Deployment for MSSP using OU

    Configuring Identity and Access Management (IAM) for MSSP

    Configuring Identity and Access Management (IAM) for MSSP

    Configuring Administrative IAM user for organization

    Once Member Accounts are joined (or added) to corresponding sub-OUs, as best practice, the MSSP must first create an administrative IAM user for the organization, also referred to as Organization Administrative IAM user. This IAM user is used for the sole purpose of creating additional IAM users and delegating responsibilities to them accordingly.

    To configure an Organization administrative IAM user:

    1. Login to IAM portal using MSSP Root account.

    2. View the default permission profile:

      1. Go to Permission Profiles and notice a default Permission Profile named SysAdmin.

      2. Click on SysAdmin to view more details.

        The default SysAdmin profile has full access to Asset Management, IAM and FortiCare portal.

        Note

        The default SysAdmin permission profile does not grant access to the FortiSASE portal. Therefore, it cannot be used to log in to the FortiSASE MSSP Portal.

        To grant the Administrative IAM User access to the FortiSASE MSSP Portal, you must configure a new permission profile that specifically allows access to FortiSASE portal.

    3. Go to Users and click Add New > IAM User.

    4. On the User Details page, enter the required information for administrative IAM user.

    5. Click Next.

    6. In the User Permissions page, set the following:

      Do you want your permission controlled by an IAM User Group?

      No

      Select a Type

      Organization

      Select an Organization Unit or Account

      SecureAccess Networks

      Select a Permission Profile

      SysAdmin

    7. Click Next.

    8. Review the Confirmation page, then click Confirm.

    9. On the Successful User Registration page, click Generate Password.

    10. In the Login with the Generated Link pop up, click Generate Password.

    11. Use the URL that is generated to reset the password for the administrative IAM user.

    12. On the Reset Password page, note the Email ID, Username, and Account ID information for the administrative IAM user. This information will be used to login to Organizations Portal.

    13. Enter a new password, then click RESET PASSWORD.

    14. To login using new organization administrative IAM user:

      1. Go to Organizations Portal.

      2. Select the IAM LOGIN tab and enter account details, such as Account ID/Alias, Username, and Password for administrative IAM user, and click LOG IN.

      3. Enter the two factor token code sent to the IAM user’s registered email ID to login.

      4. Click the checkbox at the bottom and click Accept to accept Fortinet Service Terms & Conditions.

      5. Confirm your login as administrative IAM user shown by the username in the top right corner of the Organizations portal.

    Configuring Permission profiles for IAM users

    In our example, MSSP SecureAccess Networks requires configuring following IAM user, each assigned to their corresponding Permission Scope and Permission Profiles based on their job responsibilities.

    IAM user

    Permission Scope

    Permission Profile

    tier3-analyst

    OU: Premium

    Network-security-analyst

    tier2-analyst

    OU: Standard

    Network-security-analyst

    tier1-analyst

    OU: Basic

    Network-security-analyst

    soc-analyst

    OU: Premium

    SOC-analyst

    The administrative IAM user is responsible for configuring additional IAM users with appropriate Permission Scope and Permission profiles. This can be done by following these steps:

    To configure Permission profiles for IAM users:

    1. Once the administrative IAM user (administrative-iam-user) is logged into the Organizations portal, click Services > IAM to go to FortiCloud IAM portal.

    2. In the OU or OU member context view, hover over Root Account for OU SecureAccess Networks, and click Select.

    3. On IAM portal, click on Permission Profiles > Add New.

    4. Under BASIC INFO, enter the following details:

      Permission Profile Name

      Network-security-analyst

      Status

      Active

      Description

      Permission profile for network security analysts.

      Select a Type

      Organization

    5. Under PERMISSION PROFILE, click Add Portal.

    6. From the portal list, select Asset Management, FortiCare New, and FortiSASE.

    7. Click Add.

      Note

      To grant an IAM user access to the FortiSASE MSSP Portal, the FortiSASE portal must be added to their assigned Permission Profile. This allows the IAM user to log in and manage FortiSASE instances through the MSSP portal.

    8. For all selected portals, select Read & Write access for all resources.

    9. Click Submit

      The new profile becomes available under Permission Profiles page.

    10. Similarly, configure additional permission profile named SOC-analyst, with Read Only access to Logging, Monitoring, Dashboards Resources of FortiSASE portal, and set other resources to No Access. See Resource-based permissions for the detailed combination of FortiSASE portal resources required to control access to certain FortiSASE features.

    11. Click Submit.

    Configuring IAM users and assigning Permission Profile and Permission Scope

    To configure additional IAM users:

    1. Using the administrative IAM user, go to FortiCloud IAM portal.

    2. Go to Users and click Add New > IAM User.

    3. For IAM USER INFORMATION, enter the following:

      Username

      tier3-analyst

      Full Name

      Enter desired Full Name.

      Email

      Enter desired email.

      Note: The token code while logging into FortiCloud portal as an IAM user is sent to this email for this IAM user.

      Phone

      Enter desired phone number.

      Description

      IAM user to manage customers enrolled under Premium service offering

      ADOPT PERMISSIONS

      Disabled

    4. Click Next.

    5. On the User Permissions page, set the following:

      Do you want your permission controlled by an IAM User Group?

      No

      Select a Type

      Organization

      Select an Organization Unit or Account

      		 Premium

      Select a Permission Profile

      Network-security-analyst

    6. Click Next.

    7. Click Confirm.

    8. Use the Generate Password button to generate a URL to reset the password for the IAM user tier3-analyst. Note the account details, such as Account ID/Alias and Username that are used later for IAM user login.

    9. Perform the same steps as above to configure remaining IAM users with their unique email IDs, Organization Permission, and Permission Profile, as shown:

      IAM user

      Permission Scope

      Permission Profile

      tier2-analyst

      OU: Standard

      Network-security-analyst

      tier1-analyst

      OU: Basic

      Network-security-analyst

      soc-analyst

      OU: Premium

      SOC-analyst

    10. On IAM portal go to Users to view all IAM users.

    For more information, see Permission Profiles and IAM users.

    Previous
    Next

    Configuring Identity and Access Management (IAM) for MSSP

    Configuring Identity and Access Management (IAM) for MSSP

    Configuring Administrative IAM user for organization

    Once Member Accounts are joined (or added) to corresponding sub-OUs, as best practice, the MSSP must first create an administrative IAM user for the organization, also referred to as Organization Administrative IAM user. This IAM user is used for the sole purpose of creating additional IAM users and delegating responsibilities to them accordingly.

    To configure an Organization administrative IAM user:

    1. Login to IAM portal using MSSP Root account.

    2. View the default permission profile:

      1. Go to Permission Profiles and notice a default Permission Profile named SysAdmin.

      2. Click on SysAdmin to view more details.

        The default SysAdmin profile has full access to Asset Management, IAM and FortiCare portal.

        Note

        The default SysAdmin permission profile does not grant access to the FortiSASE portal. Therefore, it cannot be used to log in to the FortiSASE MSSP Portal.

        To grant the Administrative IAM User access to the FortiSASE MSSP Portal, you must configure a new permission profile that specifically allows access to FortiSASE portal.

    3. Go to Users and click Add New > IAM User.

    4. On the User Details page, enter the required information for administrative IAM user.

    5. Click Next.

    6. In the User Permissions page, set the following:

      Do you want your permission controlled by an IAM User Group?

      No

      Select a Type

      Organization

      Select an Organization Unit or Account

      SecureAccess Networks

      Select a Permission Profile

      SysAdmin

    7. Click Next.

    8. Review the Confirmation page, then click Confirm.

    9. On the Successful User Registration page, click Generate Password.

    10. In the Login with the Generated Link pop up, click Generate Password.

    11. Use the URL that is generated to reset the password for the administrative IAM user.

    12. On the Reset Password page, note the Email ID, Username, and Account ID information for the administrative IAM user. This information will be used to login to Organizations Portal.

    13. Enter a new password, then click RESET PASSWORD.

    14. To login using new organization administrative IAM user:

      1. Go to Organizations Portal.

      2. Select the IAM LOGIN tab and enter account details, such as Account ID/Alias, Username, and Password for administrative IAM user, and click LOG IN.

      3. Enter the two factor token code sent to the IAM user’s registered email ID to login.

      4. Click the checkbox at the bottom and click Accept to accept Fortinet Service Terms & Conditions.

      5. Confirm your login as administrative IAM user shown by the username in the top right corner of the Organizations portal.

    Configuring Permission profiles for IAM users

    In our example, MSSP SecureAccess Networks requires configuring following IAM user, each assigned to their corresponding Permission Scope and Permission Profiles based on their job responsibilities.

    IAM user

    Permission Scope

    Permission Profile

    tier3-analyst

    OU: Premium

    Network-security-analyst

    tier2-analyst

    OU: Standard

    Network-security-analyst

    tier1-analyst

    OU: Basic

    Network-security-analyst

    soc-analyst

    OU: Premium

    SOC-analyst

    The administrative IAM user is responsible for configuring additional IAM users with appropriate Permission Scope and Permission profiles. This can be done by following these steps:

    To configure Permission profiles for IAM users:

    1. Once the administrative IAM user (administrative-iam-user) is logged into the Organizations portal, click Services > IAM to go to FortiCloud IAM portal.

    2. In the OU or OU member context view, hover over Root Account for OU SecureAccess Networks, and click Select.

    3. On IAM portal, click on Permission Profiles > Add New.

    4. Under BASIC INFO, enter the following details:

      Permission Profile Name

      Network-security-analyst

      Status

      Active

      Description

      Permission profile for network security analysts.

      Select a Type

      Organization

    5. Under PERMISSION PROFILE, click Add Portal.

    6. From the portal list, select Asset Management, FortiCare New, and FortiSASE.

    7. Click Add.

      Note

      To grant an IAM user access to the FortiSASE MSSP Portal, the FortiSASE portal must be added to their assigned Permission Profile. This allows the IAM user to log in and manage FortiSASE instances through the MSSP portal.

    8. For all selected portals, select Read & Write access for all resources.

    9. Click Submit

      The new profile becomes available under Permission Profiles page.

    10. Similarly, configure additional permission profile named SOC-analyst, with Read Only access to Logging, Monitoring, Dashboards Resources of FortiSASE portal, and set other resources to No Access. See Resource-based permissions for the detailed combination of FortiSASE portal resources required to control access to certain FortiSASE features.

    11. Click Submit.

    Configuring IAM users and assigning Permission Profile and Permission Scope

    To configure additional IAM users:

    1. Using the administrative IAM user, go to FortiCloud IAM portal.

    2. Go to Users and click Add New > IAM User.

    3. For IAM USER INFORMATION, enter the following:

      Username

      tier3-analyst

      Full Name

      Enter desired Full Name.

      Email

      Enter desired email.

      Note: The token code while logging into FortiCloud portal as an IAM user is sent to this email for this IAM user.

      Phone

      Enter desired phone number.

      Description

      IAM user to manage customers enrolled under Premium service offering

      ADOPT PERMISSIONS

      Disabled

    4. Click Next.

    5. On the User Permissions page, set the following:

      Do you want your permission controlled by an IAM User Group?

      No

      Select a Type

      Organization

      Select an Organization Unit or Account

      		 Premium

      Select a Permission Profile

      Network-security-analyst

    6. Click Next.

    7. Click Confirm.

    8. Use the Generate Password button to generate a URL to reset the password for the IAM user tier3-analyst. Note the account details, such as Account ID/Alias and Username that are used later for IAM user login.

    9. Perform the same steps as above to configure remaining IAM users with their unique email IDs, Organization Permission, and Permission Profile, as shown:

      IAM user

      Permission Scope

      Permission Profile

      tier2-analyst

      OU: Standard

      Network-security-analyst

      tier1-analyst

      OU: Basic

      Network-security-analyst

      soc-analyst

      OU: Premium

      SOC-analyst

    10. On IAM portal go to Users to view all IAM users.

    For more information, see Permission Profiles and IAM users.

    Previous
    Next