Technical Tip: How to show super admin user via REST API Admin

ydong01 · ‎11-09-2023

Description

This article describes that normal API admin could not show super admin user and needs to change profile via CLI:

Create Admin Profile for REST API Admin with read-write Permissions 'api-rw':

Create REST API Admin 'api-adm' with newly created Admin Profile 'api-rw'

Query admin got success status but no admin show here:

curl -k -X 'GET' 'https://<FGT-IP>:443/api/v2/cmdb/system/admin?access_token=<API key>' -H 'accept: application/json' -H 'Content-Type: application/json'

{

"http_method":"GET",

"size":1,

"matched_count":0,

"next_idx":0,

"revision":"472de3e5186943a752314a08a7d19718",

"results":[

],

"vdom":"root",

"path":"system",

"name":"admin",

"status":"success",

"http_status":200,

"serial":"<FGT SN>",

"version":"v7.2.6",

"build":1575

}

Scope

FortiGate, API, admin profile.

Solution

Change API Admin accprofile from 'api-rw' to 'super_admin' via CLI (GUI not working):

FGT # show sys api-user

config system api-user

edit "api-adm"

set api-key ENC SH2K0D2YFgGzBPdYdX6Oappo0Jop4WAwbXCegvi0PL3jBPEh36shFGzRDDf4Og=

set accprofile "api-rw"

set vdom "root"

FGT # c sys api-user

FGT (api-user) # edit api-adm

FGT (api-adm) # set accprofile super_admin

FGT (api-adm) # next

FGT (api-user) # end

FGT #

After that, api-adm can query the admin user:

As api-adm has a super_admin access profile, it will work as super admin.