Using the API to add a user to a group

eliasen · ‎11-18-2022

Hi all

I am trying to use the API to create users and assign them to a specific usergroup.

I can use the POST to /api/v1/localusers/ to create a user with a relevant JSON as body. This seems to work just fine. I am a bit annoyed that I can't just add the user_groups to that request, but so be it.

Then I can find all usergroups usign this GET: /api/v1/usergroups/ - This will return all the usergroups along with their "resource_uri". This works fine.

Now, how do I add a user to the group? I don't want to use the PATCH to the /api/v1/usergroups because that would require me to include ALL the users in the PATCH-call. I just need to add a user. So I thought the best way was to use the POST to the /api/v1/localgroup-memberships/ - but it fails for me.

If I provide this JSON:

{
"group": "/api/v1/usergroups/2/",
"user": "/api/v1/localusers/25/"
}

I get an error back: "Cannot add facgroup-user relationship "FacGroup_users object (None)" (Response: HTTP 400), Error:"

So... How do I add a newly created localuser to the existing usergroup?

Thanks! :)

Jan

funkylicious · ‎12-06-2022

Hi,

I think the issues are related to that profile assigned to the user, biztalk.

You can check under System > Administration > Admin profiles and see what it can actually do. My bet is that it got assigned Webservice Authentication permissions set, but nothing from Users and Devices , to be able to change settings for them in regards to group membership :

Web service:
Can authenticate FAC as fabric device
Can use API to authenticate
Can use API to authenticate using SSO

Users and Devices:
Can add user group
Can change user group
Can delete user group
Can view user group
Can add local user
Can change local user
Can delete local user
Can view local user

Have you tried running w/ user admin or another administrator with full permissions ?

geek

View solution in original post

eliasen · ‎11-29-2022

Hi Markus

Sorry, but there is no more error-text. Perhaps this screenshot is better:

I don't have curl, but I will see what I can do. In the meantime, I tried with Invoke-WebRequest in PowerShell and got the same error:

Invoke-WebRequest : Cannot add facgroup-user relationship "FacGroup_users object (None)" (Response: HTTP 400), Error:

Thanks

Markus_M · ‎11-29-2022

Hi Jan,

does the command to read the memberships alone work?

GET 'https://10.191.19.45/api/v1/localgroup-memberships/'

Best regards,

Markus

eliasen · ‎11-30-2022

Hi Markus

Yes, I can query to get the localusers, I can POST to create a localuser, I can GET the localgroup-memberships and other stuff. I just can't seem to add the local user into a group.

Thanks :)

Markus_M · ‎11-30-2022

Hi Jan,

try to get to the debug section of FAC, https://fac-ip/debug

There, you might have the webserver/GUI section that might give hints right after the POST failure.

Best regards,

Markus

eliasen · ‎12-05-2022

I tried looking at the /debug now.

Unfortunately, it just says this:

2022-12-05 10:14:21,177 information 5577 140339952920320 Receiving HTTP POST request at "/api/v1/localgroup-memberships/" from "172.17.202.19" (query params: ) (User: biztalk)
2022-12-05 10:14:21,202 warning 5577 140339952920320 Cannot add facgroup-user relationship "FacGroup_users object (None)" (Response: HTTP 400), Error:

So nothing new as far as I can tell?

Thanks.

funkylicious · ‎12-05-2022

Hi,

Just out of curiosity, what is it assigned to this user under User Role?

Also, have you tried a diagnose web restart from CLI, just to eliminate a potential issue with the web service ?

geek

eliasen · ‎12-06-2022

Hi

The roles for the user that I use for API-calls are these:

Can you explain a bit more about the "diagnose web restart from CLI"? What is that and how do I do it?

Thanks!

funkylicious · ‎12-06-2022

Hi,

I think the issues are related to that profile assigned to the user, biztalk.

You can check under System > Administration > Admin profiles and see what it can actually do. My bet is that it got assigned Webservice Authentication permissions set, but nothing from Users and Devices , to be able to change settings for them in regards to group membership :

Web service:
Can authenticate FAC as fabric device
Can use API to authenticate
Can use API to authenticate using SSO

Users and Devices:
Can add user group
Can change user group
Can delete user group
Can view user group
Can add local user
Can change local user
Can delete local user
Can view local user

Have you tried running w/ user admin or another administrator with full permissions ?

geek

eliasen · ‎12-15-2022

Thanks!

I tried simply adding ALL roles/rights to the user and then my call worked. So the trick now is to remove rights until I only have the necessary rights :)

Hawada1 · ‎12-03-2022

Hi Jan,

I have a FAC running version 6.4.4 GA.
I have tested the Curl command previously shared by Markus by importing it to Postman and I was able to add an existing user to an existing group.

curl -k -v -u admin:n1bCk66MxiGhHPlj8CnmOdLMmPCaAQrx2GAyTRkU -X POST -d '{"group": "/api/v1/usergroups/1/", "user": "/api/v1/localusers/4/"}' -H 'Content-Type: application/json' https://10.191.19.45/api/v1/localgroup-memberships/

This article describes how to import cURL Script to Postman:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiAuthenticator-Preview-local-...

You need to modify the API key and the FAC IP address before/after importing the curl script to Postman.
Also, keep in mind that both Username ID and Group ID must exist on FAC in order to add a user to a specific group.

Best regards,
Hawada1