Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.2.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiAppSec Cloud User Guide

    Asset Groups

    Asset Groups

    Manage administrative permissions by organizing applications into asset groups, and assigning users to those groups.

    This system replaces the older Custom Application Permissions feature, while providing similar capabilities with improved flexibility.

    To use this feature, go to General > Settings and enable Asset Groups. This feature is only supported for Local type IAM users. It is not supported for users authenticated through an external identity provider (IdP), nor IAM users with Organization type permissions.

    When Asset Groups is enabled:

    • When onboarding a new WAF application, you must select an Asset Group for the application.

    • IAM users will not be able to see applications unless they are added to the Global Asset Group by the Master user.

    Key Concepts

    • Asset: Each WAF application is treated as a separate asset. Ownership of the asset remains with the account, but management rights can be delegated to users.

    • Default Access:IAM users have management rights to zero assets by default. Master users and OU admins have access to all assets, and can grant access to IAM users by assigning them to asset groups.

    • Access Restrictions: Users can only view or manage applications—and their related data such as attack logs, event logs, security incidents, insights, and reports—if they are granted management rights through an asset group.

    • Asset Groups: These act as an intermediary between users and assets. You cannot assign assets directly to users. Instead, use asset groups to efficiently grant permissions for multiple assets to one or more users.

    • Global Asset Group: This is a default group that contains all assets in your account. You can configure account-wide settings here that apply to all WAF applications.

      • It is listed first on the Asset Groups page.

      • It is managed by the Master user and OU Admins by default.

      • IAM users can be added as administrators for the Global Asset Group.

    Relationship Summary

    • Assets → Asset Groups: Many-to-one

      Each asset belongs to only one asset group aside from the Global Asset Group.

    • Asset Groups ↔ Users: Many-to-many

      A group can have many users, and a user can be assigned to multiple groups.

    Interaction with FortiCloud IAM permission profiles

    Permission control continues to follow the access levels defined in the IAM Portal. For example, if a user is granted Read & Write permissions for the resource in the IAM portal, they will have Read & Write access to all applications they are assigned through Asset Groups.

    We recommend setting the IAM permission profile for non-master users and non-OU admins to Read Only or No Access for the FortiAppSec Cloud > General resource. This ensures these users will not be able to overwrite General configurations, even if they are assigned as Asset Group Administrators.

    This ensures consistent and conflict-free permission enforcement between FortiAppSec Cloud and IAM.

    View Asset Groups

    On the Asset Groups page, you can view all created asset groups.

    Edit or Delete Asset Groups

    You can edit or delete an Asset Group by clicking the corresponding icons in the Action column.

    Create Asset Group

    Each account can have up to 32 Asset Groups.

    1. Click Create Asset Group.

    2. Enter a name for your Asset Group.

    3. Move desired WAF Assets in from the Available list to the Selected list using the following buttons.

      All items under the Selected list will be added to the Asset Group. Each group can contain up to 500 Assets.

      • Moves all assets from the Available to the Selected list.

      • Moves selected assets from the Available to the Selected list.

      • Moves all assets from the Selected list to the Available list.

      • Moves selected assets from the Selected list to the Available list.

    4. Move desired group administrators in from the Available Users list to the Selected Users list using the following buttons.

      All items under the Selected Users list will be added to the Asset Group. Each group can have up to 10 admin users, and each user can be assigned as administrators of up to 10 Asset groups.

      • Moves all users from the Available Users to the Selected Users list.

      • Moves selected users from the Available Users to the Selected Users list.

      • Moves all users from the Selected Users list to the Available Users list.

      • Moves selected users from the Selected Users list to the Available Users list.

    5. Click Save to create the Asset Group.

    Previous
    Next

    Asset Groups

    Asset Groups

    Manage administrative permissions by organizing applications into asset groups, and assigning users to those groups.

    This system replaces the older Custom Application Permissions feature, while providing similar capabilities with improved flexibility.

    To use this feature, go to General > Settings and enable Asset Groups. This feature is only supported for Local type IAM users. It is not supported for users authenticated through an external identity provider (IdP), nor IAM users with Organization type permissions.

    When Asset Groups is enabled:

    • When onboarding a new WAF application, you must select an Asset Group for the application.

    • IAM users will not be able to see applications unless they are added to the Global Asset Group by the Master user.

    Key Concepts

    • Asset: Each WAF application is treated as a separate asset. Ownership of the asset remains with the account, but management rights can be delegated to users.

    • Default Access:IAM users have management rights to zero assets by default. Master users and OU admins have access to all assets, and can grant access to IAM users by assigning them to asset groups.

    • Access Restrictions: Users can only view or manage applications—and their related data such as attack logs, event logs, security incidents, insights, and reports—if they are granted management rights through an asset group.

    • Asset Groups: These act as an intermediary between users and assets. You cannot assign assets directly to users. Instead, use asset groups to efficiently grant permissions for multiple assets to one or more users.

    • Global Asset Group: This is a default group that contains all assets in your account. You can configure account-wide settings here that apply to all WAF applications.

      • It is listed first on the Asset Groups page.

      • It is managed by the Master user and OU Admins by default.

      • IAM users can be added as administrators for the Global Asset Group.

    Relationship Summary

    • Assets → Asset Groups: Many-to-one

      Each asset belongs to only one asset group aside from the Global Asset Group.

    • Asset Groups ↔ Users: Many-to-many

      A group can have many users, and a user can be assigned to multiple groups.

    Interaction with FortiCloud IAM permission profiles

    Permission control continues to follow the access levels defined in the IAM Portal. For example, if a user is granted Read & Write permissions for the resource in the IAM portal, they will have Read & Write access to all applications they are assigned through Asset Groups.

    We recommend setting the IAM permission profile for non-master users and non-OU admins to Read Only or No Access for the FortiAppSec Cloud > General resource. This ensures these users will not be able to overwrite General configurations, even if they are assigned as Asset Group Administrators.

    This ensures consistent and conflict-free permission enforcement between FortiAppSec Cloud and IAM.

    View Asset Groups

    On the Asset Groups page, you can view all created asset groups.

    Edit or Delete Asset Groups

    You can edit or delete an Asset Group by clicking the corresponding icons in the Action column.

    Create Asset Group

    Each account can have up to 32 Asset Groups.

    1. Click Create Asset Group.

    2. Enter a name for your Asset Group.

    3. Move desired WAF Assets in from the Available list to the Selected list using the following buttons.

      All items under the Selected list will be added to the Asset Group. Each group can contain up to 500 Assets.

      • Moves all assets from the Available to the Selected list.

      • Moves selected assets from the Available to the Selected list.

      • Moves all assets from the Selected list to the Available list.

      • Moves selected assets from the Selected list to the Available list.

    4. Move desired group administrators in from the Available Users list to the Selected Users list using the following buttons.

      All items under the Selected Users list will be added to the Asset Group. Each group can have up to 10 admin users, and each user can be assigned as administrators of up to 10 Asset groups.

      • Moves all users from the Available Users to the Selected Users list.

      • Moves selected users from the Available Users to the Selected Users list.

      • Moves all users from the Selected Users list to the Available Users list.

      • Moves selected users from the Selected Users list to the Available Users list.

    5. Click Save to create the Asset Group.

    Previous
    Next