Capabilities
This connector is read-only. It syncs FortiManager management administrator
accounts as users, admin profiles as roles, and each admin’s assigned profile
as a role-membership grant. It does not provision changes back to FortiManager.
This covers privileged management access — not end-user identities.
Gather FortiManager credentials
The connector talks to the FortiManager JSON-RPC API at<base-url>/jsonrpc.
It supports two authentication modes; configure one.
API-token auth (FortiManager 7.2.2+) sends the token as an HTTP
Authorization: Bearer header and stores it as a masked secret in C1.
Session auth sends the username and password to /sys/login/user to
obtain a session key; the password field is not masked. Prefer API-token
auth when possible.Option 1 — API token (FortiManager 7.2.2+)
1
Create an API user
In FortiManager, create an administrator with RPC Permit (JSON API
Access) enabled and Trusted Hosts restricted to the C1 egress range.
2
Generate the token
Generate the API token for that admin and copy it.
Option 2 — Username and password (session auth)
1
Use a read-only admin
Provide the login name and password of a FortiManager administrator with
read access to system admin settings. The connector calls
exec /sys/login/user to obtain a session key.Configure the connector
Set either the API token, or both username and password. When the API token is
set it takes precedence.
Notes
- ADOM mode does not change the global admin scope; the connector reads
/cli/global/system/admin/userand/cli/global/system/admin/profile. - FortiManager often uses a self-signed certificate. The JSON-RPC transport has no insecure-TLS toggle; add the FortiManager CA to the trust store of the environment running the connector.