Technical Tip: How to create and delete IAM user from FortiAuthenticator Cloud with specific role

Description

This article describes how to create and delete an IAM user from FortiAuthenticator Cloud with a specific Admin role.

Scope

FortiAuthenticator Cloud.

Solution

After creating a user in IAM portal - in this example, the user faccld11@gmail.com - the user will face an error message like this:

Unauthorized, you are not currently authorized to access this portal. Select a different portal or log out.

Image 1: List of IAM users.

Image 2: Error message during first login attempt.

When the user is created in the IAM portal and then used to login to the FortiAuthenticator Cloud portal, the login may fail because the user does not yet have the required permissions.

In fact, the user is initially assigned a 'No-Access' role. The master account must login first and manually assign an admin profile to that new user. After that, the user will be able to login.

In this example, the No-Access admin profile is changed to Read-only Administrator profile, just to let the user access FortiAuthenticator Cloud.

Image 3: After login with a master account, the new user is visible in the list.

Image 4: The Admin profile has been changed from No-Access to Read-only Administrator.

Access the FortiAuthenticator Cloud with the new user:

Image 5: Access the dashboard with the new user.

Image 6: Login with faccld11@gmail.com user to FortiAuthenticator Cloud.

Process of deleting the user from FortiAuthenticator Cloud:

Currently, there is no option to manually delete users with Admin profiles: whether Sponsor or the admin user.

Admin users with any role other than Sponsor will be automatically removed when they no longer exist in the IAM portal.

Deleting users directly from FortiAuthenticator Cloud GUI is not permitted for Admin or Sponsor roles. As a result, the delete button is greyed out.

Select the user in IAM portal and confirm the deletion.

Image 7: Deleting user from IAM portal

Image 8: Confirm that the user is not in the list anymore.

After that, access the FortiAuthenticator Cloud again with the master account and confirm that the user is not in the Local Users list anymore.

Image 9: The user is deleted.

Note: For example, the Token user in the list has Sponsor admin role and it is not possible to delete this user.

After deleting the user from the IAM portal, the user will still be visible in the Local Users list.

To completely remove this user from the list, request help from TAC Technical Support by creating a FortiCare ticket. See FortiCare Technical Support.