Uploading users

There are three ways that users can be added to the Admin Portal:

• Manually creating users via the tenant interface by entering the user First Name, Last Name, Email, Department, and Title.

  There is no mapping to a manager email when creating users using this method. This means that managers will not receive notifications for Remediation rules.

• Importing from a CSV file which includes the user First Name, Last Name, Country, Email, Department, Job Title, and Manager email. When included in the .csv, the manager email is used to build the reporting hierarchy in the framework.

• Synchronizing from an LDAP Directory. Currently only LDAP import is available. LDAPs (LDAP with TLS) will be supported at a later date. When importing from LDAP, the Organizational Units (OU) of the Directory are used to populate the various Departments framework and the title Directory attribute is used to populate the Positions framework. The mail attribute from the user entry is used to populate the email address for the user. You should use the givenName attribute and Surname (sn) attribute, to populate the First and Last names in the tenant.

Manually Creating Users

To manually create users:

1. Go to Users, then select Add New User.

   

2. Enter the requested information into the Add New User dialog (First Name, Last Name, Email, Department, and Title) and select Save.

   

   You should now be able to find the user entry in the system by selecting Users in the Navigation Menu.

Importing from a CSV file

To import from a CSV file:

1. Go to Users, then select the Import via CSV File.

   

2. Before you can import users via a CSV file, you must first download the example.csv text file then open it with a text or spreadsheet editor.

   

   Save the file as CSV. Once downloaded, you can open the spreadsheet to see the expected input. Leave the first line unchanged then edit the following lines and add your user data.

3. 

4. Upload the file by either dragging and dropping it into the frame, or, browsing to and choosing a file for upload.

   

Best practices

When you are editing the CSV file, use the following best practices:

• Do not modify the first row entries values, or change their order. These are system variables that map to the tenant database.

• Ensure case sensitivity (title case) and accuracy for the firstname, lastname, country, email, department, job_title, and manager_email. The values entered here will be used in reporting, printed completion certificates, and so on.

• Include all data requested in the spreadsheet (First Name, Last Name, Country, Email, Department, Job Title, and Manager email). Not including the job_title and manager_email values will create a flat structure. If the manager email is not included (including the manager’s entry in the .xlsx), then Remediation rules will not send emails to a manager. For example, if you do not include the Department, all users will be listed in one Department with a default name. If you do not include the manager_email, you will also not get a hierarchy of users making it more labor intensive to set up reporting.

Sample input when all columns are populated

The following image includes an example file with values inputted:

In this data set, there would be five departments created in the Department framework: Information Technology, Marketing, Sales, Finance, and Information Security since these are the only unique Department framework values.

For the positions Framework, the following hierarchy would be created due to the population of the manager_email column:

If you chose not to include the manager_email column, the structure would look like the following:

Note that the Departments are still there, however, there is no hierarchical structure below the department. We can still assign one or more of the management level to receive reports, and so on when manually setting up the report.

If you choose not to include the departments column in the .csv file, your organizational structure would be flat. All users would appear in one group. For smaller organizations, this may still be okay as there may only be one or two administrators managing the Admin Portal.

Synchronizing from an LDAP Directory.

For Premium accounts, customer and partner administrators may import users from an LDAP Directory server or a Microsoft Active Directory server. If this method is used, you must map the appropriate attributes from the LDAP Directory to the correct Portal attributes.

Connectivity must be available through the firewall in order for the service to import and periodically sync users from your Directory if it is not available in the DMZ or on the internet. This may require firewall changes to your networked environment. It may also require an account to authenticate and bind to your Directory. When creating firewall rules, open traffic from the following IPs and the port you use and configure in your LDAP server: 44.199.89.48 23.23.99.234

Here are the default Directory attributes. It is important that all Directory attributes are present and populated for the service to operate correctly:

Service field name	Directory attribute
Firstname	givenName
Lastname	sn
Email	mail
Title	title
Department	department
Manager	Manager This attribute maps the DN (distinguished name) of the users manager in Active Directly.

Before configuring LDAP import of users, please open a case by sending an email to infosec_awareness@fortinet.com for assistance and additional information.

To create a configuration:

1. Go to Users and select Import via LDAP.

   

2. Click Create Configuration.

   

3. Configure the LDAP Configuration settings.

   

   Setting	Description
   Name	Give your connection a meaningful name. For example, you can have multiple configurations each pointing to different OU levels within your Directory. The name should reflect the type of connection and location of the data that will be imported in this configuration.
   LDAP Server URL	Provide the IP address or FQDN of the LDAP server you are configuring for user import.
   Base DN	Enter the top level OU that you would like to import users from. You can specify all users from the top of the Directory, a single OU within the Directory Information Tree (DIT) structure. If you wish to specify multiple OUs from different locations in the Directory, you can create multiple configurations or use the Search Filter field to specify more specific data locations.
   Search Filter	Enter the search filter you wish to identify users from within the DIT structure. The default (all users) should be set to (objectClass=*).
   Port Number	Enter the port number that your Directory listens on. Default registered ports are: 389 (ldap) and 636 (ldaps). Ensure that you set the correct port corresponding to the Connect Mode (below): LDAP or LDAPS which dictates the protocol used to bind to the Directory.
   User DN	Enter the Directory username that will be used to allow the service to bind to your Directory.
   Password	Enter the corresponding password for the User DN Directory username that will be used to allow the service to bind to your Directory.
   Connect Mode	Select the protocol you will use that corresponds to the Port Number above (i.e. LDAP or LDAPs).

4. Configure the LDAP Attributes Mapping settings.

   

   Before configuring this section, contact your Directory administrator to obtain the Directory attributes being used to store the following information. Default Directory attributes for Active Directory have been provided. All data points mentioned below should be present and populated either in the default attribute, or a different attribute. Attribute names are case sensitive.

   Setting	Description
   Firstname	Enter the Directory attribute where the user’s first name information is stored. By default, in Active Directory, this is the givenName attribute.
   Lastname	Enter the Directory attribute where the user’s last name information is stored. By default, in Active Directory, this is the sn (surname) attribute.
   Email	Enter the Directory attribute where the user’s email information is stored. By default, in Active Directory, this is the mail attribute.
   Title	Enter the Directory attribute where the user’s title information is stored. By default, in Active Directory, this is the title attribute.
   Department	Enter the Directory attribute where the user’s department information is stored. By default, in Active Directory, this is the department attribute.
   Manager	Enter the Directory attribute where the user’s manager information is stored. By default, in Active Directory, this is the manager attribute.

5. Click Save the Configuration.

   

   The Import User via LDAP page is displayed with your configuration saved.

   

6. Select Sync to begin synching your user data into the service.

   

Modifying an Existing Configuration:

Should an existing Import Users via LDAP configuration require modification, you can modify the configuration.

To modify an existing configuration:

1. Go to Users, then select Import via LDAP.

   

2. Click on the Name for the configuration you wish to modify.

   

   You will be prompted to Pause and Edit or Cancel the Edit Configuration.

   

3. Modify any information that you wish to change and select Save the Configuration.

   

4. Select Sync.

   

Deleting an Existing Configuration:

Deleting Import Users via LDAP configurations will:

• Remove the configuration from the interface.

• Archive any users (including metadata, such as campaign and module information) that are part of this configuration. You will not be able to see user information or assign these users to Campaigns in the service. If the user is re-added as part of a new configuration, their user meta data will return.

• Return your Allocated user count to the number in use minus the count of users contained within the deleted LDAP configuration.

To delete an Import Users via LDAP configuration:

1. Go to Users, then select Import via LDAP.

   

2. Click Delete on the entry of the Import Users via LDAP configuration you wish to delete.