FortiCloud Organizations & FortiFlex

Welcome!

In this brief workshop, we’ll explore the FortiCloud Organizations feature set. We will show examples and limitations of the Organizations capabilities. Finally, we’ll explore FortiFlex entitlements within an Org structure and provide examples of the FortiFlex API.

Learning Objectives

  • Uncover FortiCloud Organizations basic terminology and concepts
  • Understand how FortiFlex operates in a multi-tenant environment
  • Learn how to use the FortiFlex API to manage configurations and entitlements

Primary Use Cases

  • MSSP
    • FortiFlex licensing for customers and/or offered in MSSP Marketplaces
    • Partner/Enterprise/Customer Consolidation & Organization of (FortiCloud Accounts, Users, and Assets)
  • FortiSASE
  • Workshops
    • CSE POC with multi-tenant accounts and Users with FortiFlex entitlements for Cloud Products (FortiGate CNF & FortiWeb Cloud)

FortiCloudOrgs.png FortiCloudOrgs.png

Version:
Last updated: Thu, Aug 14, 2025 20:54:16 UTC
Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Subsections of FortiCloud Organizations & FortiFlex

FortiCloud Organizations

FortiCloud Organizations Overview

  1. Terminology
  2. IAM Account Management
  3. IAM User Management
  4. Multitenancy with FortiCloud Organizations

Subsections of Organizations

Terminology

Terminology - Start with a solid foundation!

  • Organizations/“OU”/Units – these are hierarchical identifiers indicating directories or folders within the FCLD Organizations concept 
    • The Org has a root OU ID and can have child OU ID’s
  • IAM - Accounts – numbered FortiCloud Account ID’s.
    • The Org has a single Root Account (belonging to MSSP)
    • MSSP can create child/member Accounts in an OU via FCLD Web GUI
  • IAM - Users – 3 types as described in docs
    • IAM “users”- user entity managed in FCLD
      • Can be local or Org with same “permission scope” and “permission profile” as below
      • Password must be set with “Reset URL”, which can only be triggered by admin (not user)
      • 2FA enabled by default and cannot be disabled
        • Delivered to User’s email, so must be valid (FortiToken is the only other option presently)
    • External Idp Roles/Roles – which is really just a mapping of a SAML Assertion containing “Role” = “XYZ” to the following
      • Local role – access to the “Account” in which the Role is created
        • Permission scope (asset folder)
        • Permission profile (local specific) – specifies which FCLD Portal features are available
      • Org role – access to an OU or Account within the Org
        • Permission scope (Org OU or Account within OU)
        • Permission profile (Org specific) - specifies which FCLD Portal features are available
      • 2FA handled by IdP
      • IDP enablement is via special request to PM
    • API User – required for calling any of the available API’s

IAM Account Management

IAM User Management

FortiCloud Multitenancy