Admin users

This section includes:

• Admin users
  • About FortiMail Workspace Security admin-users
  • About admin-user roles
  • Changing the role assigned to an admin-user
  • Types of admin-users
  • Adding or inviting new standard admin-users
  • Adding new SAML admin-users
  • Admin-user access - Parent and child organizations
  • SSO using Google Workspace or Microsoft 365
  • FortiCloud admin users
  • Adding permission profiles in FortiCloud

About FortiMail Workspace Security admin-users

The Admin Users page lets you manage the admin-users in your organization. Admin-users are those users that have access to FortiMail Workspace Security.

To open the Admin Users page: In FortiMail Workspace Security, in the left navigation menu, select Settings > Admin Users.

The Admin Users page is available to admin-users with the "Admin" role only.

About admin-user roles

Each FortiMail Workspace Security admin-user is assigned a user role. The role defines the tasks that the admin-user is permitted to perform in FortiMail Workspace Security. The Roles Scope table shows a summary of the available roles when you edit an admin-user in the Admin Users page.

Role functionality	Explanation
Upload files	Can upload files to be "self-analyzed". For details, see Self Analysis.
View scans	Can view scans in the Scans page. Note: An "Email Flow Manager" will be able to see only scans for emails that are currently quarantined; scans for emails that are not currently quarantined will not be visible.
Preview and download	Can preview and download scan details in the Scans page.
Scan actions	Can perform various actions on scans in the Scans page. Note: An "Email Flow Manager" will be able to see only scans for emails that are currently quarantined; scans for emails that are not currently quarantined will not be visible.
Settings	Can configure FortiMail Workspace Security settings. Can't see scans in the Scans page.
Manage users	Can configure admin-users. See About FortiMail Workspace Security admin-users above.

Note: To be able to access FortiMail Browser Security, an admin user must be assigned the Administrator admin role.

Changing the role assigned to an admin-user

Only an admin-user with the "Admin" role can change the role of an admin-user. For all other user roles, the Edit [] button [see below] will not appear.

To change the role that is assigned to an admin-user:

1. In FortiMail Workspace Security, in the left navigation menu, select Settings > Admin Users.

2. In the Admin Users page, locate the user, and click Edit [].

3. Select the required Role, and then click Save.

Types of admin-users

Admin-users may be either standard admin-users or SAML admin-users.

• Standard admin-users: The credentials of the admin-user are managed in FortiMail Workspace Security.

  For details on how to add a new standard admin-user, see Adding or inviting new standard admin-users below.

• SAML admin-users: The credentials of the admin-user are managed in an external identity provider - such as Azure AD or Okta.

  To create a new SAML admin-user, the admin-user needs to first sign-in to FortiMail Workspace Security using the "Log in with SSO" option, or via the SAML app. The first time the new admin-user successfully signs-in to FortiMail Workspace Security, a corresponding new admin-user will be created in FortiMail Workspace Security.

  For details on how to implement integration with an identity provider, see Identity Provider [IdP] Integration - SSO [X-Ray].

The admin-user type is displayed in FortiMail Workspace Security as the Connection Type.

Adding or inviting new standard admin-users

You use invitation emails to invite new standard admin-users. You can invite just a single admin-user at a time. When you invite a new admin-user, an invitation email is sent to the email address that you specify for the user. Before you send the email, you must specify the role that will be assigned to the new user, and you can limit the set of verdicts for which the user is able to access scans in the Scans page.

Note: Only an admin-user with the "Admin" role can invite a new admin-user. For all other user roles, the Add User button [see below] will not appear. You can't add an admin-user to an organization that is Inactive. [See Understanding the Organizations page] If your organization is configured to force users to sign-in to FortiMail Workspace Security using SAML, then it is not possible to add [invite] new admin-users using the procedure that is described on this page. [The Add User button (see below) will not appear.] Instead, the admin-user needs to sign-in to FortiMail Workspace Security using the "Log in with SSO" option, or via the SAML app. The first time a new admin-user successfully signs-in to FortiMail Workspace Security, a corresponding new admin-user will be created in FortiMail Workspace Security. For further details, see Forcing SAML sign-in. Each admin-user is identified by an email address. Any specific email address can be assigned to only one organization in FortiMail Workspace Security. Therefore, an admin-user can't be added to more than one organization - unless a different email address is used for each organization. An error "Failed to invite user" or "Failed to send invite" may indicate that the email address is already associated with another organization. Workaround: If an admin user already exists in one organization, then add a suffix to the email address to be used in the new organization. For example, if admin-user@acme.com is already used, then you can add admin-user+child1@acme.com to the new organization. [This is commonly known as "plus addressing" or "sub-addressing."] It isn't possible to bulk-add admin users. It can't be done using FortiMail Workspace Security, and it can't be done by FortiMail Workspace Security Support.

To invite a new standard admin-user:

1. In the Admin Users page, click Add User. The Add Admin User dialog box opens.

   

   Dialog box options
   Email address	Specify the email address of the new admin-user. An invitation email will be sent to this email address.
   Role	Select a role for the new admin-user. The role defines the user's access permissions within FortiMail Workspace Security.
   View verdict permissions	Some admin-user roles permit admin-users to access scans in the Scans page. By default, when an admin-user is permitted to access scans, the admin-user is able to access scans that have any verdict. "View verdict permissions" lets you specify that the user will be permitted to access scans that have specified verdicts only.
   Organization	Select the Organization that the new admin-user will be able to access. See Admin-user access - Parent and child organizations below for additional information.

2. Click Send Invitation. An invitation email will be sent to the specified email address.

3. When the new admin-user receives the invitation email, the admin-user should click Join Now inside the email, and then click Sign Up in the dialog box that opens.

   

   After performing the sign-up procedure, the new admin-user will be able to log-in to FortiMail Workspace Security using the credentials that were used to sign-up.

4. Use the following URL to access FortiMail Workspace Security:

   https://xray.perception-point.io/

Note The "Join Now" link in the invitation email expires 72 hours after the email is sent. If the "Join Now" link expires, there is an option to resend the invitation. This resend option appears in the list of admin-users. This option will appear until the user logs-in successfully to FortiMail Workspace Security. If a user has been sent an invitation email, but has not yet signed-in to FortiMail Workspace Security, you are not able to delete the user. Contact FortiMail Workspace Security Support [support@perception-point.io] for assistance.

Adding new SAML admin-users

To create a new SAML admin-user, the admin-user needs to first sign-in to FortiMail Workspace Security using the "Log in with SSO" option, or via the SAML app. The first time the new admin-user successfully signs-in to FortiMail Workspace Security, a corresponding new admin-user will be created in FortiMail Workspace Security.

Note: You can create SAML users only if you have enabled SSO. For details, see Identity Provider [IdP] Integration - SSO [X-Ray] If your organization is configured to force users to sign-in to FortiMail Workspace Security using SAML, then it is not possible to add [invite] new admin-users using the procedure that is described on this page. [The Add User button will not appear.] For further details, see Forcing SAML sign-in.

Admin-user access - Parent and child organizations

• An admin-user in a parent organization is able to access all the child organizations as well - even though the admin-user is not registered in the child organizations. This applies only when the parent organization is an MSSP-type organization. Admin-users in all other organization-types can access only the organizations in which they are registered - and not any child or sibling organizations in which they are not registered.

  Note: For MSSP-type organizations, admin users will have access to ALL child organizations - you can't limit their access to only some child organizations.

• An admin-user in a child organization can access that child organization only [and not the parent organization or any sibling organizations].

SSO using Google Workspace or Microsoft 365

Note This SSO functionality is not available to organizations that are registered with FortiCloud.

FortiMail Workspace Security supports Single Sign-On (SSO) for standard admin users [that is, for non-SAML admin users] via Google Workspace and Microsoft 365 authentication. Users that are signed-in to their Google accounts or Microsoft 365 accounts will be able to access FortiMail Workspace Security without entering any FortiMail Workspace Security credentials.

Note: This SSO functionality is available for standard admin users only - not for SAML admin users. This SSO functionality is not available to organizations that are registered with FortiCloud. You can integrate FortiMail Workspace Security with an external identity provider - such as Azure AD, Okta, or JumpCloud - to provide SSO [single sign-on] functionality. For details, see Identity Provider [IdP] Integration - SSO [X-Ray].

To enable SSO for an admin-user [Google Workspace or Microsoft 365]:

1. If the admin user already exists in FortiMail Workspace Security, then delete the admin user.

2. Invite [or re-invite] an admin user to FortiMail Workspace Security. [See Adding or inviting new standard admin-users above.]

3. When the admin-user receives the invitation email, the admin-user should click Join Now inside the email, and then click Sign up in the "Sign-in to continue" dialog box that opens.

   

4. In the Sign Up to continue page, the admin user should click:

   1. Continue with Google

      - or -

   2. Continue with Microsoft 365

      

5. After the admin user has signed in the first time, the admin user will then be able to access FortiMail Workspace Security using either:

   1. Continue with Google

      - or -

   2. Continue with Microsoft 365

      Note: These admin users will not be able to access FortiMail Workspace Security using an email address and password.

FortiCloud admin users

Admin users can access FortiMail Workspace Security via FortiCloud only if they are registered with FortiCloud. When you add a new admin user to FortiCloud, it is recommended that you add "IAM" [Identity Account Management] type users. Before you add new admin users, you'll need to create permission profiles for your organization. For details, see Adding permission profiles in FortiCloud below.

• When you add a new admin user to FortiCloud, the new user will appear in the Users page in FortiMail Workspace Security with a SAML connection type.

• After you add a new admin user to FortiCloud, if any details of the new user need to be edited, you should perform the edits in FortiCloud, not in FortiMail Workspace Security.

To add a new admin user in FortiCloud:

1. Open FortiCloud.

2. Click Services, and then under "Assets & Accounts", select IAM.

3. In the navigation panel on the left of the IAM portal, select Users.

   All the existing users - who are registered with FortiCloud - are listed.

4. In the top right corner, click Add New > IAM User.

   The User Details dialog box opens.

   

5. Enter the required options

   Username	The user will use this name to login to FortiCloud.
   Full Name	The user's full name.
   Email	The user's email address.
   Phone	The user's phone number.
   Description

6. Click Next.

   The User Permissions dialog box opens.

   

7. Under Permission Scope, select My Assets.

8. Under Permission Profile, select a permission profile for the new user.

9. Click Next.

   The new user will appear in the Users page in FortiMail Workspace Security - with a SAML connection type.

Adding permission profiles in FortiCloud

To add a new permission profile:

1. Open FortiCloud.

2. Click Services, and then under "Assets & Accounts", select IAM.

3. In the navigation panel on the left of the IAM portal, select Permission Profiles.

   Any existing permission profiles will be displayed.

4. In the top right corner, click Add New.

   The Basic Info dialog box opens.

   

5. Enter a Permission Profile Name.

6. Click Add Portal.

   

7. Select the "FortiMail Workspace" check box, and then click Add.

   

8. Slide the Access toggle to enable it.

9. Under Access Type, select the role that will be associated with the new permission profile. These are the same roles that are available in XRay.

10. In the top right, click Submit. The new permission profile appears in the list of permission profiles for your organization.

See also: 

• Setup