Creating a user
|
By default, FortiPAM has a default user with the username When you go into the system for the first time, you must set a password for this account. Additional users can be added later. |
To create a user:
-
Go to User Management > User Definition, and select Create
The New User Definition wizard is launched.
- Enter the following information, and click Next after each tab:
Configure Role
Choose a User Role type
Select from the following user role types:
Guest User
Standard User
Power User
Administrator
Customized User
For Administrator, select from one of the available administrator roles from the Choose an Administrator Role dropdown.
For Customized User, select from one of the available custom roles from the Choose a custom defined Role dropdown.
The administrator/custom role decides what an administrator or a customized user can see. Depending on the nature of the administrator work, access level, or seniority, you can allow them to view and configure as much or as little as required.
Use the search bar to look for an administrator/custom role.
For information on the user types and their roles, see Users in FortiPAM and Role.
Configure Type
Choose a User type
Select a user type:
Local User
To change the local user password, see Admin.
API User
Remote User: Select the option if you want to enable login for one remote user in a remote group, and assign the user the remote user type for the FortiPAM session.
For Remote User, select a remote group where the user is found. See User groups.
Use the search bar to look for a remote group.
For information on the user types, see Users in FortiPAM.
Configure User Details
Username
The username.
Do not use
< > ( ) # " '`characters in the username.Password The password.
Note: This option is only available when the user type is local.
Confirm Password
Enter the password again to confirm.
Note: This option is only available when the user type is local.
Status
Enable/disable user login to FortiPAM.
When you attempt to create a new user that exceeds the licensed seats, the Status option in the Configure User Details tab cannot be enabled.
As you hover over the Enable button, a tooltip appears, alerting you that the user cannot be enabled as you have exceeded your license seat.
Note: The option is not available when the user type is an API user.
Email address
The email address.
Critical System Email Alert
Enable/disable sending critical system alerts via email.
Note: The option is disabled by default.
General Email Alert
Enable/disable sending general alerts via email.
Note: The option is disabled by default.
Comments
Optionally, enter comments about the user.
Two Factor Authentication
Enable/disable using two-factor authentication.
Note: Two factor authentication is disabled by default.
Note: Two factor authentication is not available for an API user.
You can also set up Two Factor Authentication using CLI. See Two Factor Authentication using CLI.
Authentication Type
Specify the type of user authentication used:
FortiToken
FortiToken Cloud. See 2FA with FortiToken Cloud example.
Email based two-factor authentication (default)
SMS based two-factor authentication
Token
From the dropdown, select a token.
Note: The option is mandatory and only available when the Authentication Type is FortiToken.
Send Activation Code
Enable/disable sending activation codes, and select either Email or SMS as the mode to send the activation code.
To select the SMS option, enable SMS first.
Note: This option is only available when FortiToken Cloud is the Authentication Type.
Email address
The email address.
Note: This option is mandatory when:
Authentication Type is FortiToken.
Authentication Type is FortiToken Cloud.
Authentication Type is Email based two-factor authentication.
The email address is synched from the email address added in the Configure User Details pane.
SMS
Enable/disable SMS.
Note: This option is enabled when SMS based two-factor authentication is selected.
Country Dial Code
From the dropdown, select a country code.
Note: The option is mandatory when:
Authentication Type is SMS based two-factor authentication.
SMS is enabled for any other Authentication Type.
Phone Number
Enter the phone number.
Note: The option is mandatory when:
Authentication Type is SMS based two-factor authentication.
SMS is enabled for any other Authentication Type.
Configure Trusted Hosts
IPv4 Trusted Hosts
Trusted IPv4 addresses users use to connect to FortiPAM.
Use + button to add a new IPv4 address and x to delete an added IPv4 address.
Configure the schedule for which the user can connect to the FortiPAM
Enable/disable configuring the login schedule for the users.
From the dropdown, select a schedule. See Schedule.
Note: This option is disabled by default.
- In the Review tab, verify the information you entered and click Submit to create the user.
Use the pen icon to edit tabs.
|
|
Alternatively, use the CLI commands to create users. |
To regenerate the API key:
- Go to User Management > User Definition.
- Select the API user whose API key you intend to change and then select Edit.
- In the Details pane, select Re-generate API Key.
- In the Re-generate API Key window, select Generate.
Regenerating the API key will immediately revoke access for any API consumers using the current key.
A new API key for the API user is generated.
- Click Close.
CLI configuration to set up a local user example:
config system admin
edit <user_name>
set accprofile <role_name>
set password <password>
next
end
CLI configuration to set up a remote LDAP user example:
config system admin
edit <ldap_username>
set remote-auth enable
set accprofile <profname>
set remote-group <ldap_group_name>
next
end
CLI configuration to set up a remote RADIUS user example:
config system admin
edit <radius_username>
set remote-auth enable
set accprofile <profname>
set remote-group <radius_group_name>
next
end
CLI configuration to enable two-factor authentication example:
config system admin
edit <username>
set password "myPassword"
set two-factor <fortitoken | fortitoken-cloud | email>
set fortitoken <serial_number>
set email-to "username@example.com"
next
end