So far I am able to retrieve a new API token via the GUI and by using the CLI methods. Would like however to retrieve a new API token via the POST method. Read the documentation from the link below and followed by using a POST /api/v2/monitor/system/api-user/generate-key?vdom=root and a body with
https://fndn.fortinet.net/index.php?/fortiapi/1-fortios/100/
This for only returns a 401 unauthorized. How then can proper authorization be included?
Appreciate it
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Make the change in CLI. I don't know why, but the super_admin profile appears to be available for an API admin only in the CLI, not in the GUI.
You can make the configuration as usual in the GUI, and then switch the profile to super_admin in the CLI as the last step.
The API documentation states you need sysgrp.admin permission (System>Administration Users in the GUI's terminology). Does your account have that?
Additionally, I imagine there might also be some additional restrictions such as not being able to generate an API key for a "super_admin" API account. (which could be interpreted as a sort of "privilege escalation" potentially)
Under System > Administrators > REST API Administrator, this user has super_admin_readonly permissions. Now I have tired admin_noaccess as well but that was a no go.
And what about the API user making this request?
I did a quick test with 7.0.8, and while the docs say that sysgrp.admin is required, I was only able to generate a new API-key when the requesting api-user was a super_admin. (not even prof_admin (everything read-write) was sufficient).
Correct the user making the request has been an apiuser. This is v7.2.2 on a FortiWifi 80F-2R. This is the below request. I have given all read/write permissions to the apiuser as well.
The syntax is good, but I will have to re-iterate my suspicion that the call will most likely only be accepted if the API-user making this request is a super_admin.
Edited this reply from before. No, the user does not have super_admin from setting the below screenshot settings. Instead super_admin can only be achieved using the CLI. Using this command:
config system api-user
edit apiadmin
set accprofile super_admin
Hello all
The apiuser has been granted full permissions, including the sysgrp.admin as requested. Still am not getting any success with the API call. Any additional thoughts?
Appreciate it
I'm sorry but I have to ask again: Have you set the apiuser's (the account that is making the request) access profile to super_admin? Please do note that a profile with full read-write is not equivalent to super_admin.
Hello,
An administrator Profile called super_admin does not appear under the drop down list when creating a REST API admin. For an Administrator, Local admin it does appear to have super_admin. Why then does super_admin appear missing for REST API admin?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1536 | |
1029 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.