Skip to main content
eliasen
eliasen
New Member
November 18, 2022
Solved

Using the API to add a user to a group

  • November 18, 2022
  • 5 replies
  • 15115 views

Hi all

I am trying to use the API to create users and assign them to a specific usergroup.

 

I can use the POST to /api/v1/localusers/ to create a user with a relevant JSON as body. This seems to work just fine. I am a bit annoyed that I can't just add the user_groups to that request, but so be it.

 

Then I can find all usergroups usign this GET: /api/v1/usergroups/ - This will return all the usergroups along with their "resource_uri". This works fine.

 

Now, how do I add a user to the group? I don't want to use the PATCH to the /api/v1/usergroups because that would require me to include ALL the users in the PATCH-call. I just need to add a user. So I thought the best way was to use the POST to the /api/v1/localgroup-memberships/ - but it fails for me.

If I provide this JSON:

{
"group": "/api/v1/usergroups/2/",
"user": "/api/v1/localusers/25/"
}

I get an error back: "Cannot add facgroup-user relationship "FacGroup_users object (None)" (Response: HTTP 400), Error:"

 

So... How do I add a newly created localuser to the existing usergroup?

 

Thanks! :)

  Jan

Best answer by funkylicious

Hi,

I think the issues are related to that profile assigned to the user, biztalk.

You can check under System > Administration > Admin profiles and see what it can actually do. My bet is that it got assigned Webservice Authentication permissions set, but nothing from Users and Devices , to be able to change settings for them in regards to group membership :

 

 

 

Web service: Can authenticate FAC as fabric device Can use API to authenticate Can use API to authenticate using SSO  Users and Devices: Can add user group Can change user group Can delete user group Can view user group Can add local user Can change local user Can delete local user Can view local user

 

 

 

Have you tried running w/ user admin or another administrator with full permissions ?

5 replies

Anthony_E
Staff
Anthony_E
Staff
November 21, 2022

Hello Jan,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Regards,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
November 24, 2022

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
November 24, 2022

Hello Jan,

 

Your message has been moved to the Fortinet Forum FortiAuthenticator 

 

Regards,

Best Regards
Markus_M
Staff & Editor
Markus_M
Staff & Editor
November 25, 2022

Hi Jan,

 

what you might be looking for is this. You can add users to a group incrementally:

https://docs.fortinet.com/document/fortiauthenticator/6.4.2/rest-api-solution-guide/583007/local-user-group-memberships-localgroup-memberships

This is formally not adding a group membership to a user as you tried, but adding a user to a group as member.

 

Example:


Add one user to the group:
curl -k -v -u admin:n1bCk66MxiGhHPlj8CnmOdLMmPCaAQrx2GAyTRkU -X POST -d '{"group": "/api/v1/usergroups/1/", "user": "/api/v1/localusers/4/"}' -H 'Content-Type: application/json' https://10.191.19.45/api/v1/localgroup-memberships/
result output:
{"group": "/api/v1/usergroups/1/", "group_name": "testgroup", "id": 3, "resource_uri": "/api/v1/localgroup-memberships/3/", "user": "/api/v1/localusers/4/", "username": "test_user03"}

Add another user to the same group (same command, different user ID #3):
curl -k -v -u admin:n1bCk66MxiGhHPlj8CnmOdLMmPCaAQrx2GAyTRkU -X POST -d '{"group": "/api/v1/usergroups/1/", "user": "/api/v1/localusers/3/"}' -H 'Content-Type: application/json' https://10.191.19.45/api/v1/localgroup-memberships/
result output:
{"group": "/api/v1/usergroups/1/", "group_name": "testgroup", "id": 2, "resource_uri": "/api/v1/localgroup-memberships/2/", "user": "/api/v1/localusers/3/", "username": "test_user02"}

Checking the users/result of the actions above:
curl -k -v -u admin:n1bCk66MxiGhHPlj8CnmOdLMmPCaAQrx2GAyTRkU GET 'https://10.191.19.45/api/v1/localgroup-memberships/'

{"meta": {"limit": 20, "next": null, "offset": 0, "previous": null, "total_count": 2}, "objects": [{"group": "/api/v1/usergroups/1/", "group_name": "testgroup", "id": 2, "resource_uri": "/api/v1/localgroup-memberships/2/", "user": "/api/v1/localusers/3/", "username": "test_user02"}, {"group": "/api/v1/usergroups/1/", "group_name": "testgroup", "id": 3, "resource_uri": "/api/v1/localgroup-memberships/3/", "user": "/api/v1/localusers/4/", "username": "test_user03"}]}

 

Hope this helps.

 

Markus

    eliasen
    eliasenAuthor
    New Member
    November 25, 2022

    Hi Markus and thanks for the reply.

     

    I think that this is exactly what I am already doing? You can see a screenshot from postman below - I am using the localgroup-memberships and I am POSTing JSON to add a specific user to a specific group. But it fails and I don't know why.

     

    Any thoughts? Thanks.

     

    FortinetApiError.PNG

    Markus_M
    Staff & Editor
    Markus_M
    Staff & Editor
    November 26, 2022

    Hi Jan,

     

    indeed this is pretty much the same. I just tested again with the given curl example. It worked fine.

    I will try to get postman running in my lab.

    Other question is if you are sure the numbers/IDs of the users are correct? When you hover over the user you will see it or with the GET output I shared:

    GET 'https://10.191.19.45/api/v1/localgroup-memberships/'

     

    Best regards,

     

    Markus

      H
      Staff & Editor
      Hawada1
      Staff & Editor
      December 3, 2022

      Hi Jan,

      I have a FAC running version 6.4.4 GA.
      I have tested the Curl command previously shared by Markus by importing it to Postman and I was able to add an existing user to an existing group.

      curl -k -v -u admin:n1bCk66MxiGhHPlj8CnmOdLMmPCaAQrx2GAyTRkU -X POST -d '{"group": "/api/v1/usergroups/1/", "user": "/api/v1/localusers/4/"}' -H 'Content-Type: application/json' https://10.191.19.45/api/v1/localgroup-memberships/

      This article describes how to import cURL Script to Postman:
      https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiAuthenticator-Preview-local-users-using-REST/ta-p/214305


      You need to modify the API key and the FAC IP address before/after importing the curl script to Postman.
      Also, keep in mind that both Username ID and Group ID must exist on FAC in order to add a user to a specific group.

      Best regards,
      Hawada1

        eliasen
        eliasenAuthor
        New Member
        December 5, 2022

        Hi Hawada1

         

        I can use the API to do lots of stuff, like getting all local users, getting all usergroups, creating localusers and so on. So I am fairly sure I have the correct hostname (I don't use IP), API-key and all that.

         

        Thanks.

        funkylicious
        SuperUser
        funkylicious
        SuperUser
        December 5, 2022

        Hi,

        Maybe try a PATCH for /v1/usergroups/ and those params.

         

        "jack of all trades, master of none"
        Terms & ConditionsAccessibility statement