Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eliasen
New Contributor

Created on ‎11-18-2022 05:13 AM Edited on ‎11-24-2022 11:38 AM By Community Manager

Using the API to add a user to a group

Hi all

I am trying to use the API to create users and assign them to a specific usergroup.

 

I can use the POST to /api/v1/localusers/ to create a user with a relevant JSON as body. This seems to work just fine. I am a bit annoyed that I can't just add the user_groups to that request, but so be it.

 

Then I can find all usergroups usign this GET: /api/v1/usergroups/ - This will return all the usergroups along with their "resource_uri". This works fine.

 

Now, how do I add a user to the group? I don't want to use the PATCH to the /api/v1/usergroups because that would require me to include ALL the users in the PATCH-call. I just need to add a user. So I thought the best way was to use the POST to the /api/v1/localgroup-memberships/ - but it fails for me.

If I provide this JSON:

{
"group": "/api/v1/usergroups/2/",
"user": "/api/v1/localusers/25/"
}

I get an error back: "Cannot add facgroup-user relationship "FacGroup_users object (None)" (Response: HTTP 400), Error:"

 

So... How do I add a newly created localuser to the existing usergroup?

 

Thanks! :)

  Jan

Labels:
4383
0 Kudos
1 Solution
funkylicious
Contributor III
In response to eliasen

Created on ‎12-06-2022 11:23 PM Edited on ‎12-06-2022 11:34 PM

Hi,

I think the issues are related to that profile assigned to the user, biztalk.

You can check under System > Administration > Admin profiles and see what it can actually do. My bet is that it got assigned Webservice Authentication permissions set, but nothing from Users and Devices , to be able to change settings for them in regards to group membership :

 

 

 

Web service:
Can authenticate FAC as fabric device
Can use API to authenticate
Can use API to authenticate using SSO

Users and Devices:
Can add user group
Can change user group
Can delete user group
Can view user group
Can add local user
Can change local user
Can delete local user
Can view local user

 

 

 

Have you tried running w/ user admin or another administrator with full permissions ?

geek

View solution in original post

geek
3887
30 REPLIES 30
Anthony_E
Community Manager
Community Manager

Created on ‎11-20-2022 10:33 PM

Hello Jan,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Regards,

Anthony-Fortinet Community Team.
1633
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎11-23-2022 10:30 PM

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
1603
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎11-24-2022 11:37 AM

Hello Jan,

 

Your message has been moved to the Fortinet Forum FortiAuthenticator 

 

Regards,

Anthony-Fortinet Community Team.
FortiAuthenticator
FortiAuthenticator
View in Store
1578
0 Kudos
Markus_M
Staff
Staff

Created on ‎11-25-2022 12:53 AM

Hi Jan,

 

what you might be looking for is this. You can add users to a group incrementally:

https://docs.fortinet.com/document/fortiauthenticator/6.4.2/rest-api-solution-guide/583007/local-use...

This is formally not adding a group membership to a user as you tried, but adding a user to a group as member.

 

Example:


Add one user to the group:
curl -k -v -u admin:n1bCk66MxiGhHPlj8CnmOdLMmPCaAQrx2GAyTRkU -X POST -d '{"group": "/api/v1/usergroups/1/", "user": "/api/v1/localusers/4/"}' -H 'Content-Type: application/json' https://10.191.19.45/api/v1/localgroup-memberships/
result output:
{"group": "/api/v1/usergroups/1/", "group_name": "testgroup", "id": 3, "resource_uri": "/api/v1/localgroup-memberships/3/", "user": "/api/v1/localusers/4/", "username": "test_user03"}

Add another user to the same group (same command, different user ID #3):
curl -k -v -u admin:n1bCk66MxiGhHPlj8CnmOdLMmPCaAQrx2GAyTRkU -X POST -d '{"group": "/api/v1/usergroups/1/", "user": "/api/v1/localusers/3/"}' -H 'Content-Type: application/json' https://10.191.19.45/api/v1/localgroup-memberships/
result output:
{"group": "/api/v1/usergroups/1/", "group_name": "testgroup", "id": 2, "resource_uri": "/api/v1/localgroup-memberships/2/", "user": "/api/v1/localusers/3/", "username": "test_user02"}

Checking the users/result of the actions above:
curl -k -v -u admin:n1bCk66MxiGhHPlj8CnmOdLMmPCaAQrx2GAyTRkU GET 'https://10.191.19.45/api/v1/localgroup-memberships/'

{"meta": {"limit": 20, "next": null, "offset": 0, "previous": null, "total_count": 2}, "objects": [{"group": "/api/v1/usergroups/1/", "group_name": "testgroup", "id": 2, "resource_uri": "/api/v1/localgroup-memberships/2/", "user": "/api/v1/localusers/3/", "username": "test_user02"}, {"group": "/api/v1/usergroups/1/", "group_name": "testgroup", "id": 3, "resource_uri": "/api/v1/localgroup-memberships/3/", "user": "/api/v1/localusers/4/", "username": "test_user03"}]}

 

Hope this helps.

 

Markus

1556
eliasen
New Contributor
In response to Markus_M

Created on ‎11-25-2022 01:00 AM

Hi Markus and thanks for the reply.

 

I think that this is exactly what I am already doing? You can see a screenshot from postman below - I am using the localgroup-memberships and I am POSTing JSON to add a specific user to a specific group. But it fails and I don't know why.

 

Any thoughts? Thanks.

 

FortinetApiError.PNG

1551
0 Kudos
Markus_M
Staff
Staff
In response to eliasen

Created on ‎11-26-2022 02:11 AM

Hi Jan,

 

indeed this is pretty much the same. I just tested again with the given curl example. It worked fine.

I will try to get postman running in my lab.

Other question is if you are sure the numbers/IDs of the users are correct? When you hover over the user you will see it or with the GET output I shared:

GET 'https://10.191.19.45/api/v1/localgroup-memberships/'

 

Best regards,

 

Markus

1527
Markus_M
Staff
Staff
In response to Markus_M

Created on ‎11-26-2022 04:55 AM

Something is wrong on your query or with the FAC.

I managed to set up postman and set up a json query with authentication and it also works fine. When I change the IDs to something non-existing, I get an error back

{
"error": "Could not find the provided usergroups object via resource URI '/api/v1/usergroups/130/'."
}

What is your FortiAuthenticator version?

 

Best regards,

 

Markus

 

1520
0 Kudos
eliasen
New Contributor
In response to Markus_M

Created on ‎11-27-2022 11:55 PM

Hej Markus and thanks for helping me.

 

I double-checked the URLs I used the GET on both "usergroups" and "localusers" and they are correct.

 

I assume you mean this version number:

eliasen_0-1669622081609.png

 

? Hope that helps? 

 

Any thoughts on what might be wrong with the FAC?

 

Thanks! :)

  Jan

1493
0 Kudos
Markus_M
Staff
Staff
In response to eliasen

Created on ‎11-29-2022 01:00 AM

Hi Jan,

 

good question; my FortiAuthenticator is on a 6.4.6, not that far away. The release notes for 6.4.5 and 6.4.6 do not show anything that would fix this.

Do you have "curl" somewhere running? It might be giving a different output or more info. On Windows the easiest way might be the "Windows Subsystem for Linux" (WSL) and from that Ubuntu system inside Windows, you can run curl in the same command set I posted.

 

More details of the "error" on your screenshot might be helpful (it looks like there is a second line or cut-off line after the word "Error").

Generally, the HTTP 400 would normally say that the request you made to the web server is not correct.

 

Best regards,

 

Markus

 

1473
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.