Using the API to add a user to a group

eliasen · ‎11-18-2022

Hi all

I am trying to use the API to create users and assign them to a specific usergroup.

I can use the POST to /api/v1/localusers/ to create a user with a relevant JSON as body. This seems to work just fine. I am a bit annoyed that I can't just add the user_groups to that request, but so be it.

Then I can find all usergroups usign this GET: /api/v1/usergroups/ - This will return all the usergroups along with their "resource_uri". This works fine.

Now, how do I add a user to the group? I don't want to use the PATCH to the /api/v1/usergroups because that would require me to include ALL the users in the PATCH-call. I just need to add a user. So I thought the best way was to use the POST to the /api/v1/localgroup-memberships/ - but it fails for me.

If I provide this JSON:

{
"group": "/api/v1/usergroups/2/",
"user": "/api/v1/localusers/25/"
}

I get an error back: "Cannot add facgroup-user relationship "FacGroup_users object (None)" (Response: HTTP 400), Error:"

So... How do I add a newly created localuser to the existing usergroup?

Thanks! :)

Jan

funkylicious · ‎12-06-2022

Hi,

I think the issues are related to that profile assigned to the user, biztalk.

You can check under System > Administration > Admin profiles and see what it can actually do. My bet is that it got assigned Webservice Authentication permissions set, but nothing from Users and Devices , to be able to change settings for them in regards to group membership :

Web service:
Can authenticate FAC as fabric device
Can use API to authenticate
Can use API to authenticate using SSO

Users and Devices:
Can add user group
Can change user group
Can delete user group
Can view user group
Can add local user
Can change local user
Can delete local user
Can view local user

Have you tried running w/ user admin or another administrator with full permissions ?

geek

View solution in original post

eliasen · ‎12-05-2022

Hi Hawada1

I can use the API to do lots of stuff, like getting all local users, getting all usergroups, creating localusers and so on. So I am fairly sure I have the correct hostname (I don't use IP), API-key and all that.

Thanks.

funkylicious · ‎12-05-2022

Hi,

Maybe try a PATCH for /v1/usergroups/ and those params.

geek

eliasen · ‎12-05-2022

Hi funkylicious

Yeah, I can do that - and it works just fine. The problem is that I will have to provide the complete list of users and not just the one I want to add. So if another user is changing group membership at the same time my program is running, then we might have problems. So instead, I'd like to just add the one user to the group that I know should be added.

Thanks

funkylicious · ‎12-05-2022

Hi,

OK, to see if I get it what you trying to say.

When adding a user it overwrites the whole group by adding just the user and not appending to the existing one(s), right?

According to the documentation:

This command is not additive i.e. adding a single user entry will not increment the list it will overwrite. Using {"users":[ ]} for example will clear the users list.

You would like to add a bunch of users and not just one, right ?

If so, have you tried using this list in Postman?

{
"users": ["/api/v1/localusers/4/","/api/v1/localusers/5/","/api/v1/localusers/6/"],
"group": "/api/v1/usergroups/2/"
}

geek

eliasen · ‎12-05-2022

Hi again

Yes, the PATCH on usergroup is not additive, which is why I do not want to use that one.

I am not trying to add a list of users to the group - just one user. I have used a body that seems to be the same as the one Markus_M has working in curl, but I get the error about "Cannot add facgroup-user relationship "FacGroup_users object (None)" (Response: HTTP 400), Error:"

Thanks.

funkylicious · ‎12-05-2022

Gotcha.

I just tested it on my FAC which is running 6.4.4 also, and the following curl worked:

curl -k -v -u "admin:API_KEY" -X POST -d '{"group":"api/v1/usergroups/ID/", "user":"api/v1/localusers/ID/" }' -H 'Content-Type: application/json' https://FAC_IP/api/v1/localgroup-memberships/

L.E. I collected user and group using /api/v1/localusers/ and /api/v1/usergroups/

geek

eliasen · ‎12-05-2022

Hi again

Yes, it also works for Markus... What I need is help figuring out why it doesn't work for me. As far as I can tell, I am doing the exact same thing using either Postman or PowerShell - but I get an error.

Thanks

funkylicious · ‎12-05-2022

Maybe the group is created as being Remote LDAP/RADIUS/SAML or something and not LOCAL ?

You would need to match the type of the user and group that you are trying to add.

geek

eliasen · ‎12-05-2022

Hi again

Both the user and the group are local. I can log into the Fortinet web site and add the user to the group manually. And both are marked as "local". So I expect that to be in order?

Thanks

Markus_M · ‎12-06-2022

Hi Jan,

the problem remains that the FAC isn't wanting to respond properly to that request. curl output might be interesting still, but postman should also work (as it does for me). I only tested with local users and local groups for simplicity and I would think a remote group cannot be updated anyway.

Have you opened a TAC case? It could be interesting to check the debug report.

Best regards,

Markus