Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

system accprofile

Use this command to add access profiles that control administrator access to FortiGate features. Each FortiGate administrator account must include an access profile. You can create access profiles that deny access, allow read only, or allow both read and write access to FortiGate features. You cannot delete or modify the super_admin access profile, but you can use it with more than one administrator account.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set secfabgrp {none | read | read-write}

set ftviewgrp {none | read | read-write}

New read or read-write privileges for Security Fabric and FortiView.

set netgrp {custom | ...}

config netgrp-permission

set cfg {none | read | read-write}

set packet-capture {none | read | read-write}

set route-cfg {none | read | read-write}

 

set sysgrp {custom | ...}

config sysgrp-permission

set admin {none | read | read-write}

set upd {none | read | read-write}

set cfg {none | read | read-write}

set mnt {none | read | read-write}

 

config utmgrp-permission

set endpoint-control {none | read | read-write}

Assign read or read-write privileges for network and system permissions and for FortiClient Profiles.

Note that the custom option, as shown for the pre-existing netgrp and sysgrp options, is new to FortiOS 6.0, and permits their corresponding configuration methods to become available.

Similarly, config utmgrp-permission is only available when utmgrp is set to custom; this instance of custom is not new.

set mntgrp {none | read | read-write}

set admingrp {none | read | read-write}

set updategrp {none | read | read-write}

set routegrp {none | read | read-write}

set endpoint-control-grp {none | read | read-write}

These options have been removed, as part of streamlining/rearranging more granular profiles under different profile groups.
config system accprofile
    edit {name}
    # Configure access profiles for system administrators.
        set name {string}   Profile name. size[35]
        set scope {vdom | global}   Scope of admin access: global or specific VDOM(s).
                vdom    VDOM access.
                global  Global access.
        set comments {string}   Comment. size[255]
        set secfabgrp {none | read | read-write}   Security Fabric.
                none        No access.
                read        Read access.
                read-write  Read/write access.
        set ftviewgrp {none | read | read-write}   FortiView.
                none        No access.
                read        Read access.
                read-write  Read/write access.
        set authgrp {none | read | read-write}   Administrator access to Users and Devices.
                none        No access.
                read        Read access.
                read-write  Read/write access.
        set sysgrp {none | read | read-write | custom}   System Configuration.
                none        No access.
                read        Read access.
                read-write  Read/write access.
                custom      Customized access.
        set netgrp {none | read | read-write | custom}   Network Configuration.
                none        No access.
                read        Read access.
                read-write  Read/write access.
                custom      Customized access.
        set loggrp {none | read | read-write | custom}   Administrator access to Logging and Reporting including viewing log messages.
                none        No access.
                read        Read access.
                read-write  Read/write access.
                custom      Customized access.
        set fwgrp {none | read | read-write | custom}   Administrator access to the Firewall configuration.
                none        No access.
                read        Read access.
                read-write  Read/write access.
                custom      Customized access.
        set vpngrp {none | read | read-write}   Administrator access to IPsec, SSL, PPTP, and L2TP VPN.
                none        No access.
                read        Read access.
                read-write  Read/write access.
        set utmgrp {none | read | read-write | custom}   Administrator access to Security Profiles.
                none        No access.
                read        Read access.
                read-write  Read/write access.
                custom      Customized access.
        set wanoptgrp {none | read | read-write}   Administrator access to WAN Opt & Cache.
                none        No access.
                read        Read access.
                read-write  Read/write access.
        set wifi {none | read | read-write}   Administrator access to the WiFi controller and Switch controller.
                none        No access.
                read        Read access.
                read-write  Read/write access.
        config netgrp-permission
            set cfg {none | read | read-write}   Network Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set packet-capture {none | read | read-write}   Packet Capture Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set route-cfg {none | read | read-write}   Router Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
        config sysgrp-permission
            set admin {none | read | read-write}   Administrator Users.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set upd {none | read | read-write}   FortiGuard Updates.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set cfg {none | read | read-write}   System Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set mnt {none | read | read-write}   Maintenance.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
        config fwgrp-permission
            set policy {none | read | read-write}   Policy Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set address {none | read | read-write}   Address Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set service {none | read | read-write}   Service Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set schedule {none | read | read-write}   Schedule Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
        config loggrp-permission
            set config {none | read | read-write}   Log & Report configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set data-access {none | read | read-write}   Log & Report Data Access.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set report-access {none | read | read-write}   Log & Report Report Access.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set threat-weight {none | read | read-write}   Log & Report Threat Weight.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
        config utmgrp-permission
            set antivirus {none | read | read-write}   Antivirus profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set ips {none | read | read-write}   IPS profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set webfilter {none | read | read-write}   Web Filter profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set spamfilter {none | read | read-write}   AntiSpam filter and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set data-loss-prevention {none | read | read-write}   DLP profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set application-control {none | read | read-write}   Application Control profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set icap {none | read | read-write}   ICAP profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set voip {none | read | read-write}   VoIP profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set waf {none | read | read-write}   Web Application Firewall profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set dnsfilter {none | read | read-write}   DNS Filter profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set endpoint-control {none | read | read-write}   FortiClient Profiles.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
        set admintimeout-override {enable | disable}   Enable/disable overriding the global administrator idle timeout.
        set admintimeout {integer}   Administrator timeout for this access profile (0 - 480 min, default = 10, 0 means never timeout). range[1-480]
    next
end

Additional information

The following section is for those options that require additional explanation.

Access Level

The options that are used to configured configure what level of administrative access the members of the profile group have can be set to the following levels:

none No access is granted
read Users can read the configuration but make no changes
read-write Users can view and alter configurations
custom

This setting makes available an additional "permission" setting for the category of access with its own more granular settings.

Associated with:

  • fwgrp
  • loggrp
  • utmgrp

 

 

admingrp

Configure this group to apply permission settings that apply to administrator accounts and access profiles.

authgrp

Configure this group to apply permission settings that apply to user authentication, including local users, RADIUS servers, LDAP servers, and user groups.

endpointcontrol-grp

Configure this group to apply permission settings that apply to endpoint control (Endpoint NAC) configuration.

fwgrp

Configure this group to apply permission settings that apply to firewall configuration settings.

config fwgrp-permission

This configuration option is only available if fwgrp is set to custom, giving the administrator access to firewall configuration. By using the custome setting, it allows for a more granular configuration of administrative access. All of these settings can be configured to { none | read | read-write }.

Setting Level of administative access to:
address firewall addresses
device netscan device identification configurations
others virtual IP configurations
packet-capture packet capture
policy firewall policies
profile firewall profiles
schedule firewall schedules
service firewall service definitions

 

loggrp

Configure this group to apply permission settings that apply to log and report configurations, including:

  • log settings
  • viewing logs
  • alert email settings
  • execute batch commands

config loggrp-permission

This configuration option is only available if loggrp is set to custom, giving the administrator access to firewall configuration. By using the custome setting, it allows for a more granular configuration of administrative access. All of these settings can be configured to { none | read | read-write }.

Setting Level of administative access to:
config logging configuration
data-access log data
threat-weight threat-weight data

mntgrp {none | read | read-write}

Configure this group to apply permission settings that apply to maintenance of the FortiGate. The scope of this option is limited to the following areas:

  • Management of configuration files
  • Uploading of firmware
  • Connectivity to central management such as a FortiManager
  • Connectivity to an attached extender device
  • Connectivity to attached USB devices

netgrp

Configure this group to apply permission settings that apply to networking, including:

  • interfaces
  • dhcp servers
  • zones
  • get system status
  • get system arp table
  • config system arp-table
  • execute dhcp lease-list
  • execute dhcp lease-clear

routegrp

Configure this group to apply permission settings that apply to router configuration.

sysgrp

Configure this group to apply permission settings that apply to system configuration.

Exceptions:
  • system accprofile
  • system admin
  • system autoupdate

updategrp

Configure this group to apply permission settings that apply to FortiGuard antivirus and IPS updates (manual and automatic).

utmgrp

Configure this group to apply permission settings that apply to UTM configuration.

config utmgrp-permission

This configuration option is only available if utmgrp is set to custom, giving the administrator access to firewall configuration. By using the custome setting, it allows for a more granular configuration of administrative access. All of these settings can be configured to { none | read | read-write }.

Setting Level of administative access to:
antivirus antivirus configuration data
application-control application control data
data-loss-prevention data loss prevention (DLP) data
dnsfilter DNS filter profiles and settings
icap Internet Content Adaptation Protocol configuration
ips intrusion prevention (IP) data
netscan network scans
spamfilter spamfilter data
voip VOIP data
waf Web Application Firewall profiles and settings
webfilter web filter data

vpngrp

Configure this group to apply permission settings that apply to VPN configuration

wanoptgrp

Configure this group to apply permission settings that apply to WAN optimization configuration

wifi

Configure this group to apply permission settings that apply to WiFi configuration

system accprofile

Use this command to add access profiles that control administrator access to FortiGate features. Each FortiGate administrator account must include an access profile. You can create access profiles that deny access, allow read only, or allow both read and write access to FortiGate features. You cannot delete or modify the super_admin access profile, but you can use it with more than one administrator account.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set secfabgrp {none | read | read-write}

set ftviewgrp {none | read | read-write}

New read or read-write privileges for Security Fabric and FortiView.

set netgrp {custom | ...}

config netgrp-permission

set cfg {none | read | read-write}

set packet-capture {none | read | read-write}

set route-cfg {none | read | read-write}

 

set sysgrp {custom | ...}

config sysgrp-permission

set admin {none | read | read-write}

set upd {none | read | read-write}

set cfg {none | read | read-write}

set mnt {none | read | read-write}

 

config utmgrp-permission

set endpoint-control {none | read | read-write}

Assign read or read-write privileges for network and system permissions and for FortiClient Profiles.

Note that the custom option, as shown for the pre-existing netgrp and sysgrp options, is new to FortiOS 6.0, and permits their corresponding configuration methods to become available.

Similarly, config utmgrp-permission is only available when utmgrp is set to custom; this instance of custom is not new.

set mntgrp {none | read | read-write}

set admingrp {none | read | read-write}

set updategrp {none | read | read-write}

set routegrp {none | read | read-write}

set endpoint-control-grp {none | read | read-write}

These options have been removed, as part of streamlining/rearranging more granular profiles under different profile groups.
config system accprofile
    edit {name}
    # Configure access profiles for system administrators.
        set name {string}   Profile name. size[35]
        set scope {vdom | global}   Scope of admin access: global or specific VDOM(s).
                vdom    VDOM access.
                global  Global access.
        set comments {string}   Comment. size[255]
        set secfabgrp {none | read | read-write}   Security Fabric.
                none        No access.
                read        Read access.
                read-write  Read/write access.
        set ftviewgrp {none | read | read-write}   FortiView.
                none        No access.
                read        Read access.
                read-write  Read/write access.
        set authgrp {none | read | read-write}   Administrator access to Users and Devices.
                none        No access.
                read        Read access.
                read-write  Read/write access.
        set sysgrp {none | read | read-write | custom}   System Configuration.
                none        No access.
                read        Read access.
                read-write  Read/write access.
                custom      Customized access.
        set netgrp {none | read | read-write | custom}   Network Configuration.
                none        No access.
                read        Read access.
                read-write  Read/write access.
                custom      Customized access.
        set loggrp {none | read | read-write | custom}   Administrator access to Logging and Reporting including viewing log messages.
                none        No access.
                read        Read access.
                read-write  Read/write access.
                custom      Customized access.
        set fwgrp {none | read | read-write | custom}   Administrator access to the Firewall configuration.
                none        No access.
                read        Read access.
                read-write  Read/write access.
                custom      Customized access.
        set vpngrp {none | read | read-write}   Administrator access to IPsec, SSL, PPTP, and L2TP VPN.
                none        No access.
                read        Read access.
                read-write  Read/write access.
        set utmgrp {none | read | read-write | custom}   Administrator access to Security Profiles.
                none        No access.
                read        Read access.
                read-write  Read/write access.
                custom      Customized access.
        set wanoptgrp {none | read | read-write}   Administrator access to WAN Opt & Cache.
                none        No access.
                read        Read access.
                read-write  Read/write access.
        set wifi {none | read | read-write}   Administrator access to the WiFi controller and Switch controller.
                none        No access.
                read        Read access.
                read-write  Read/write access.
        config netgrp-permission
            set cfg {none | read | read-write}   Network Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set packet-capture {none | read | read-write}   Packet Capture Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set route-cfg {none | read | read-write}   Router Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
        config sysgrp-permission
            set admin {none | read | read-write}   Administrator Users.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set upd {none | read | read-write}   FortiGuard Updates.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set cfg {none | read | read-write}   System Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set mnt {none | read | read-write}   Maintenance.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
        config fwgrp-permission
            set policy {none | read | read-write}   Policy Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set address {none | read | read-write}   Address Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set service {none | read | read-write}   Service Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set schedule {none | read | read-write}   Schedule Configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
        config loggrp-permission
            set config {none | read | read-write}   Log & Report configuration.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set data-access {none | read | read-write}   Log & Report Data Access.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set report-access {none | read | read-write}   Log & Report Report Access.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set threat-weight {none | read | read-write}   Log & Report Threat Weight.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
        config utmgrp-permission
            set antivirus {none | read | read-write}   Antivirus profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set ips {none | read | read-write}   IPS profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set webfilter {none | read | read-write}   Web Filter profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set spamfilter {none | read | read-write}   AntiSpam filter and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set data-loss-prevention {none | read | read-write}   DLP profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set application-control {none | read | read-write}   Application Control profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set icap {none | read | read-write}   ICAP profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set voip {none | read | read-write}   VoIP profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set waf {none | read | read-write}   Web Application Firewall profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set dnsfilter {none | read | read-write}   DNS Filter profiles and settings.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
            set endpoint-control {none | read | read-write}   FortiClient Profiles.
                    none        No access.
                    read        Read access.
                    read-write  Read/write access.
        set admintimeout-override {enable | disable}   Enable/disable overriding the global administrator idle timeout.
        set admintimeout {integer}   Administrator timeout for this access profile (0 - 480 min, default = 10, 0 means never timeout). range[1-480]
    next
end

Additional information

The following section is for those options that require additional explanation.

Access Level

The options that are used to configured configure what level of administrative access the members of the profile group have can be set to the following levels:

none No access is granted
read Users can read the configuration but make no changes
read-write Users can view and alter configurations
custom

This setting makes available an additional "permission" setting for the category of access with its own more granular settings.

Associated with:

  • fwgrp
  • loggrp
  • utmgrp

 

 

admingrp

Configure this group to apply permission settings that apply to administrator accounts and access profiles.

authgrp

Configure this group to apply permission settings that apply to user authentication, including local users, RADIUS servers, LDAP servers, and user groups.

endpointcontrol-grp

Configure this group to apply permission settings that apply to endpoint control (Endpoint NAC) configuration.

fwgrp

Configure this group to apply permission settings that apply to firewall configuration settings.

config fwgrp-permission

This configuration option is only available if fwgrp is set to custom, giving the administrator access to firewall configuration. By using the custome setting, it allows for a more granular configuration of administrative access. All of these settings can be configured to { none | read | read-write }.

Setting Level of administative access to:
address firewall addresses
device netscan device identification configurations
others virtual IP configurations
packet-capture packet capture
policy firewall policies
profile firewall profiles
schedule firewall schedules
service firewall service definitions

 

loggrp

Configure this group to apply permission settings that apply to log and report configurations, including:

  • log settings
  • viewing logs
  • alert email settings
  • execute batch commands

config loggrp-permission

This configuration option is only available if loggrp is set to custom, giving the administrator access to firewall configuration. By using the custome setting, it allows for a more granular configuration of administrative access. All of these settings can be configured to { none | read | read-write }.

Setting Level of administative access to:
config logging configuration
data-access log data
threat-weight threat-weight data

mntgrp {none | read | read-write}

Configure this group to apply permission settings that apply to maintenance of the FortiGate. The scope of this option is limited to the following areas:

  • Management of configuration files
  • Uploading of firmware
  • Connectivity to central management such as a FortiManager
  • Connectivity to an attached extender device
  • Connectivity to attached USB devices

netgrp

Configure this group to apply permission settings that apply to networking, including:

  • interfaces
  • dhcp servers
  • zones
  • get system status
  • get system arp table
  • config system arp-table
  • execute dhcp lease-list
  • execute dhcp lease-clear

routegrp

Configure this group to apply permission settings that apply to router configuration.

sysgrp

Configure this group to apply permission settings that apply to system configuration.

Exceptions:
  • system accprofile
  • system admin
  • system autoupdate

updategrp

Configure this group to apply permission settings that apply to FortiGuard antivirus and IPS updates (manual and automatic).

utmgrp

Configure this group to apply permission settings that apply to UTM configuration.

config utmgrp-permission

This configuration option is only available if utmgrp is set to custom, giving the administrator access to firewall configuration. By using the custome setting, it allows for a more granular configuration of administrative access. All of these settings can be configured to { none | read | read-write }.

Setting Level of administative access to:
antivirus antivirus configuration data
application-control application control data
data-loss-prevention data loss prevention (DLP) data
dnsfilter DNS filter profiles and settings
icap Internet Content Adaptation Protocol configuration
ips intrusion prevention (IP) data
netscan network scans
spamfilter spamfilter data
voip VOIP data
waf Web Application Firewall profiles and settings
webfilter web filter data

vpngrp

Configure this group to apply permission settings that apply to VPN configuration

wanoptgrp

Configure this group to apply permission settings that apply to WAN optimization configuration

wifi

Configure this group to apply permission settings that apply to WiFi configuration