Creating a user
By default, FortiPAM has a default user with the username When you go into the system for the first time, you must set a password for this account. Additional users can be added later. |
To create a user:
-
Go to User Management > User Definition, and select Create
The New User Definition wizard is launched.
- Enter the following information, and click Next after each tab:
Configure Role
Choose a User Role type
Select from the following user role types:
Guest User
Standard User
Power User
Administrator
For Administrator, select from one of the available administrator roles from the Choose an Administrator Role dropdown.
The administrator role decides what the administrator can see. Depending on the nature of the administrator work, access level, or seniority, you can allow them to view and configure as much or as little as required.
Use the search bar to look for an administrator role.
For information on the user types and their roles, see Users in FortiPAM and Role.
Configure Type
Choose a User type
Select a user type:
Local User
To change the local user password, see Admin.
API User
Remote User: Select the option if you want to enable login for one remote user in a remote group, and assign the user the remote user type for the FortiPAM session.
For Remote User, select a remote group where the user is found. See User groups.
Use the search bar to look for a remote group.
For information on the user types, see Users in FortiPAM.
Configure User Details
Username
The username.
Do not use
< > ( ) # " '`
characters in the username.Password The password.
Note: This option is only available when the user type is local.
Confirm Password
Enter the password again to confirm.
Note: This option is only available when the user type is local.
Status
Enable/disable user login to FortiPAM.
Note: The option is not available when the user type is an API user.
Email address
The email address.
Comments
Optionally, enter comments about the user.
Two Factor Authentication
Enable/disable using two-factor authentication.
Note: Two factor authentication is disabled by default.
Note: Two factor authentication is not available for an API user.
You can also set up Two Factor Authentication using CLI. See Two Factor Authentication using CLI.
Authentication Type
Specify the type of user authentication used:
FortiToken
FortiToken Cloud. See 2FA with FortiToken Cloud example.
Email based two-factor authentication (default)
Token
From the dropdown, select a token. This option is mandatory.
Note: This option is only available when FortiToken is the Authentication Type.
Send Activation Code
Enable/disable sending activation codes.
Note: This option is only available when FortiToken Cloud is the Authentication Type.
Email address
The email address.
Note: This option is mandatory.
The email address is synched from the email address added in the Configure User Details pane.
Configure Trusted Hosts
IPv4 Trusted Hosts
Trusted IPv4 addresses users use to connect to FortiPAM.
Use + button to add a new IPv4 address and x to delete an added IPv4 address.
Configure the schedule for which the user can connect to the FortiPAM
Enable/disable configuring the login schedule for the users.
From the dropdown, select a schedule. See Schedule.
Note: This option is disabled by default.
- In the Review tab, verify the information you entered and click Submit to create the user.
Use the pen icon to edit tabs.
Alternatively, use the CLI commands to create users. |
To regenerate the API key:
- Go to User Management > User Definition.
- Select the API user whose API key you intend to change and then select Edit.
- In the Details pane, select Re-generate API Key.
- In the Re-generate API Key window, select Generate.
Regenerating the API key will immediately revoke access for any API consumers using the current key.
A new API key for the API user is generated.
- Click Close.
CLI configuration to set up a local user example:
config system admin
edit <user_name>
set accprofile <role_name>
set password <password>
next
end
CLI configuration to set up a remote LDAP user example:
config system admin
edit <ldap_username>
set remote-auth enable
set accprofile <profname>
set remote-group <ldap_group_name>
next
end
CLI configuration to set up a remote RADIUS user example:
config system admin
edit <radius_username>
set remote-auth enable
set accprofile <profname>
set remote-group <radius_group_name>
next
end
CLI configuration to enable two-factor authentication example:
config system admin
edit <username>
set password "myPassword"
set two-factor <fortitoken | fortitoken-cloud | email>
set fortitoken <serial_number>
set email-to "username@example.com"
next
end