On FortiAuthenticator (FAC hereinafter) the group objects do have structural objectClasses = facGroup, groupOfNames.
User objects (uid) do have "memberOf" attribute containing the names of their respective group membership.
But there are no distinguished names of members inside the groups (only "rfc822MailMember" attribute) as you could see from ldapsearch result for group object.
LDAP implementation on FAC is very simple and rarely used.
More often I see users imported to FAC from outer LDAP (like from MS Active Directory).
Speaking of dividing users into groups and driving access privileges/levels based on group membership ..
Usually I see group membership (for active auth, not talking about SSO here) handled via RADIUS AVPs.
For RADIUS "group match" on FortiGate there is Fortinet-Group-Name AVP in Fortinet's directory.
Any 3rd party would probably use something like Class from Default directory, but check what's group match AVP for your specific RADIUS client.
Just check "RADIUS Attributes" on FAC either under user or group properties. Yes, those RADIUS AVPs can be inherited from group to all underlying users.
With one exception, users with role=Administrator (which are supposed to be user accounts used exclusively for FAC administration) do not inherit any AVPs, even if you would explicitly allow them to authenticate via RADIUS ("Allow RADIUS authentication" which is by default disabled once the user role changes to Administrator or Sponsor (admins for guest management)).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.