We have a FortiAuthenticator implemented in out environment and we want to use a local user to Drift/Counter Sync the fortitokens when it's needed. Problems:The minimum permissions to that user is through an "admin profile", read & write "Users and Devices". He can then access directly the link https://IP/admin/fortitoken/fortitokendrift/ but he can also access the Authentication\User Management. We don't want that.Through "$env:SystemRoot\System32\curl.exe" and powershell script we just have GET and DELETE. The idea was to GET the list of fortitokens and POST with the 2 codes but POST doesn't exist.Also through SSL using "exec fortitoken sync FTKXXXXXXXXXX 111111 222222": No such command...Any other idea to Sync these fortitokens using a script? Or block the user to that specific URL? Or remove the left menu for that user? Thanks

New Member

Question

Sync Drift/Counter

Forum|Forum|1 year ago
April 5, 2025
2 replies
524 views

We have a FortiAuthenticator implemented in out environment and we want to use a local user to Drift/Counter Sync the fortitokens when it's needed.

Problems:

The minimum permissions to that user is through an "admin profile", read & write "Users and Devices". He can then access directly the link https://IP/admin/fortitoken/fortitokendrift/ but he can also access the Authentication\User Management. We don't want that.
Through "$env:SystemRoot\System32\curl.exe" and powershell script we just have GET and DELETE. The idea was to GET the list of fortitokens and POST with the 2 codes but POST doesn't exist.
Also through SSL using "exec fortitoken sync FTKXXXXXXXXXX 111111 222222": No such command...

Any other idea to Sync these fortitokens using a script? Or block the user to that specific URL? Or remove the left menu for that user?

Thanks

FortiAuthenticator

Anthony_E

Staff

Hello Paulo,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Best Regards

funkylicious

SuperUser

hi,

you have the option to create a custom profile and custom permission set that allows the user that is assigned that profile/group to the user(s) to only do certain things.

in the permission set, if you create a new one you have : add/change/delete/view Fortitoken drift option.

https://docs.fortinet.com/document/fortiauthenticator/6.6.2/administration-guide/418956/admin-profiles

"jack of all trades, master of none"

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded