FortiSOAR transforms Unix user access management into an automated, auditable workflow. By consolidating user data, classifying account status, and integrating with the FortiSOAR User Module, organizations gain a foundation for scalable governance today—with future expansion into Windows and hybrid environments. With this framework, user access reviews that once required manual effort can now be performed seamlessly through FortiSOAR—ensuring speed, accuracy, and audit readiness.

Problem Statement

Enterprises face significant challenges in managing user access across thousands of servers. While FortiSOAR’s Asset Module maintains system inventories, it lacks built-in direct mechanism to continuously review and validate associated user accounts. Today, administrators must manually export user lists, reconcile them with asset records, and track approvals—a process that is slow, error-prone, and unsustainable at scale. The challenge is two-fold:

1. Automating the retrieval of user information from thousands of servers and mapping it to the correct assets in the FortiSOAR Asset Module.

2. Establishing a governance workflow where administrators can review user accounts directly in FortiSOAR, verify changes, and ensure that updates are logged with complete audit traceability.

Proposed Solution

To overcome these challenges, we designed a FortiSOAR-driven playbook that automates end-to-end User Access Management for assets listed in the FortiSOAR Asset Module. The solution eliminates manual effort by introducing an orchestrated, auditable workflow:   Automated User Data Collection and Update in FortiSOAR: FortiSOAR connects to multiple Unix servers (and later, Windows & network devices) using SSH or custom scripts. It retrieves complete user account details, including username, privilege groups, last login, account status, shell, expiry date and so on.

Data Consolidation & Mapping

• Retrieved user data is merged into a unified CSV dataset. FortiSOAR automatically maps each user entry to its corresponding asset in the Asset Module, ensuring accurate linkage between users and systems IRI's. 

Classification of Accounts

• Users are classified into New, Changed, Deleted, or Unchanged categories. This classification provides clarity on lifecycle events such as new users, privilege escalations, or deletions.

Review Workflow for Administrators

• The playbook generates a structured view in the User Module, where administrators are prompted to review user accounts. Each review action (approve, reject, or escalate) is logged directly within FortiSOAR.

From Vision to Execution: Building the Framework

Designing the solution was only the beginning. The real challenge lay in bringing the idea to life inside FortiSOAR. While the proposed workflow promised automation and auditability, the actual implementation demanded precision engineering:

User Module Creation & Secure Data Collection

To enable automated user reviews, the first step was to design and create User Module within FortiSOAR. This module was equipped with essential fields and picklists (e.g., account type, privilege level, last login, status, verification status) so that every account could be consistently tracked and audited. Once the User Module was established, the challenge was to safely collect user information from thousands of enterprise servers. Direct connections from FortiSOAR to each system would be risky, so a secure jump server was introduced as an intermediary. Here’s how it works:

This foundation ensures secure, scalable, and centralized user visibility — the cornerstone for automated reviews.

Capturing Previous and Current User States

For user access reviews to be meaningful, it’s not enough to know who the users are today. Organizations also need visibility into how user accounts have changed over time. To address this, the automation framework captures two states of user information:

Previous State – The snapshot of user accounts from the last review cycle. Current State – The latest snapshot of user accounts across all servers. Comparison Engine – FortiSOAR automatically compares the two states side by side, analyzing key attributes like usernames, privileges, groups, account status, and login activity. Change Detection – Each account is then clearly categorized as New, Changed, Deleted, or Unchanged, enabling administrators to immediately see what’s different since the last cycle.

This ensures the system doesn’t just list users — it provides context about how access is evolving, highlighting potential risks such as unauthorized privilege escalation or orphaned accounts.

Data Parsing, Classification & Record Handling

After collecting user data and identifying differences between previous and current states, FortiSOAR parses the information and applies classification logic to determine how each record should be handled.

First Execution (Initial Run)

• When the playbook is triggered for the first time, there is no historical baseline.

• All user data collected is inserted into the User Module as new records.

• This establishes the initial inventory of users across the enterprise.

Subsequent Executions (Iterative Runs after Admin Reviews)

From the second run onward, FortiSOAR evaluates differences between the previous cycle and the new data, and applies specific actions per classification:

Why This Matters This design ensures FortiSOAR maintains a continuously updated, auditable user inventory that reflects the true lifecycle of accounts. The first run creates the baseline. Every subsequent run only adjusts what changed, preserving history and reducing noise. Administrators always see a clear audit trail of user access evolution across review cycles.

Review Workflow for Administrators

Once the appropriate user data is available in FortiSOAR, administrators can log in and review the user access information directly from the User Module. After the review is completed, the FortiSOAR playbook can be re-initiated to revalidate the users, ensuring that only approved accounts remain aligned with enterprise policies.

The verification status adapts automatically based on changes:

• If an approved user remains unchanged, the verification status stays as Approved.

• If an admin modifies a user’s access level after approval, FortiSOAR automatically resets the verification status back to Pending, signaling that the account must be re-reviewed.

This guarantees that every modification is validated, closing the loop on continuous compliance.

Correlation Between Assets and Users

The final step establishes the critical correlation between the FortiSOAR Asset Module and the User Module. Each user account retrieved, validated, and reviewed is mapped to its corresponding asset.

• Asset-to-User Mapping: Every asset in the environment has an associated list of user accounts. This ensures that during an asset review, administrators can immediately identify which accounts are active, inactive, pending, or deleted.

• 360-Degree Visibility: By linking assets and users, FortiSOAR provides a unified view of the environment—bridging infrastructure, identities, and governance.

• Security & Compliance Impact: This correlation allows enterprises to detect orphaned accounts, validate privilege levels against asset criticality, and prove compliance through end-to-end traceability.

Output Example:
An admin reviewing a critical UNIX server in the Asset Module will instantly see all associated accounts in the User Module—complete with their status and verification history. This delivers holistic insight into who has access to what, strengthening both security architecture and audit readiness.

Outcome & Benefits

With this framework in place, FortiSOAR transforms user access management from a manual, error-prone process into a fully automated, auditable system.

• Automation First: User data is continuously collected, compared, and updated with minimal human effort.

• Governance Built-In: Every admin action is logged, and verification statuses adapt dynamically to changes.

• 360° Security Visibility: Assets and users are correlated, giving a complete view of access relationships across the enterprise.

• Audit Ready: Full traceability ensures organizations can pass compliance audits with confidence.

• Future Expansion: While the current playbook is built for UNIX, the same design can seamlessly extend to Windows, network devices, and hybrid environments.

In short, FortiSOAR doesn’t just automate user access management — it elevates it into a strategic governance framework that enforces security architecture and compliance at scale.

FortiSOAR Playbook Implementation

User Access Management Playbook to Fetch User information

The FortiSOAR playbook executes remote scripts across target servers to collect user data, merges outputs into a single CSV, and imports it into the User Module. The workflow then parses the dataset, filters records by state (New, Changed, Deleted, Unchanged), and either creates or updates entries accordingly. This ensures precise synchronization of user accounts with enterprise assets while preserving audit trails.

1. Remote Script Execution

Run scripts on UNIX/Windows servers to extract user data

Raw user data retrieved from endpoints

2. File Handling & Merge

Consolidate collected files into a single merged CSV

Unified dataset prepared for processing

3. IRI Mapping

Call IRI fetching playbook and map asset keys to records

Accurate linkage between users & assets

4. Permission Adjustment

Apply local file permission changes for secure handling

Ensures secure accessibility of dataset

5. Read & Parse CSV

Import merged dataset into FortiSOAR for parsing

Data classification & update

6. Data Filtering

Categorize user accounts: Unchanged, Changed, Deleted, New

Classification of user lifecycle

7. Record Handling

Create or update records based on classification

- Unchanged → Status maintained
- Changed → Attributes updated
- Deleted → Status marked deleted
- New → Records created

Correlation Between Asset and User Module

After establishing automated user data collection and reviews, the next critical step is to link users back to their respective assets. Without this correlation, access reviews remain fragmented, making it difficult to see which accounts belong to which systems. This playbook builds that bridge inside FortiSOAR, ensuring every user is mapped to the right asset for complete visibility and governance.

1. Find Asset

Locate the asset record from Asset Module

Identifies Asset IRI

2. Find User Review

Retrieve the associated user accounts from the User Module

Identifies User IRI

3. Build Mapping

Map the asset and its related user accounts together

Correlate users and their respective asset

4. Update Record

Update the FortiSOAR record with the asset-user linkage

Update user and Asset Mapping based on IRI

Conclusion: Security at Speed and Scale

In modern enterprises, user access governance is not optional—it’s foundational. Manual reviews are slow, fragmented, and leave dangerous gaps. By operationalizing access validation through FortiSOAR, we’ve transformed compliance from a checkbox exercise into an automated, policy-driven workflow.

This isn’t just about automation—it’s about cyber resilience by design:

• Compliance becomes code.

• Visibility becomes verification.

• Reviews become real-time governance.

As environments grow, this framework ensures every user is not only onboarded—but continuously verified, mapped to assets, and decisively aligned with enterprise trust boundaries.

Acknowledgment:

I’d like to sincerely thank Michael Zhong, Himanshu Modi, and Kosala Kandawela for their invaluable guidance, trust, and encouragement throughout this initiative. Their support and confidence in me have been instrumental in shaping and successfully delivering this work. Their insights and ideas provided the clarity needed to design the architecture effectively and ensure the process worked seamlessly.

FortiSOAR