Fortinet black logo

CLI Reference

system accprofile

Configure access profiles for system administrators.

  config system accprofile
      Description: Configure access profiles for system administrators.
      edit <name>
          set scope [vdom|global]
          set comments {var-string}
          set secfabgrp [none|read|...]
          set ftviewgrp [none|read|...]
          set authgrp [none|read|...]
          set sysgrp [none|read|...]
          set netgrp [none|read|...]
          set loggrp [none|read|...]
          set fwgrp [none|read|...]
          set vpngrp [none|read|...]
          set utmgrp [none|read|...]
          set wanoptgrp [none|read|...]
          set wifi [none|read|...]
          config netgrp-permission
              Description: Custom network permission.
              set cfg [none|read|...]
              set packet-capture [none|read|...]
              set route-cfg [none|read|...]
          end
          config sysgrp-permission
              Description: Custom system permission.
              set admin [none|read|...]
              set upd [none|read|...]
              set cfg [none|read|...]
              set mnt [none|read|...]
          end
          config fwgrp-permission
              Description: Custom firewall permission.
              set policy [none|read|...]
              set address [none|read|...]
              set service [none|read|...]
              set schedule [none|read|...]
          end
          config loggrp-permission
              Description: Custom Log & Report permission.
              set config [none|read|...]
              set data-access [none|read|...]
              set report-access [none|read|...]
              set threat-weight [none|read|...]
          end
          config utmgrp-permission
              Description: Custom Security Profile permissions.
              set antivirus [none|read|...]
              set ips [none|read|...]
              set webfilter [none|read|...]
              set emailfilter [none|read|...]
              set data-loss-prevention [none|read|...]
              set application-control [none|read|...]
              set icap [none|read|...]
              set voip [none|read|...]
              set waf [none|read|...]
              set dnsfilter [none|read|...]
              set endpoint-control [none|read|...]
          end
          set admintimeout-override [enable|disable]
          set admintimeout {integer}
      next
  end

config system accprofile

Parameter Name Description Type Size
scope Scope of admin access: global or specific VDOM(s).
vdom: VDOM access.
global: Global access.
option -
comments Comment. var-string Maximum length: 255
secfabgrp Security Fabric.
none: No access.
read: Read access.
read-write: Read/write access.
option -
ftviewgrp FortiView.
none: No access.
read: Read access.
read-write: Read/write access.
option -
authgrp Administrator access to Users and Devices.
none: No access.
read: Read access.
read-write: Read/write access.
option -
sysgrp System Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
custom: Customized access.
option -
netgrp Network Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
custom: Customized access.
option -
loggrp Administrator access to Logging and Reporting including viewing log messages.
none: No access.
read: Read access.
read-write: Read/write access.
custom: Customized access.
option -
fwgrp Administrator access to the Firewall configuration.
none: No access.
read: Read access.
read-write: Read/write access.
custom: Customized access.
option -
vpngrp Administrator access to IPsec, SSL, PPTP, and L2TP VPN.
none: No access.
read: Read access.
read-write: Read/write access.
option -
utmgrp Administrator access to Security Profiles.
none: No access.
read: Read access.
read-write: Read/write access.
custom: Customized access.
option -
wanoptgrp Administrator access to WAN Opt & Cache.
none: No access.
read: Read access.
read-write: Read/write access.
option -
wifi Administrator access to the WiFi controller and Switch controller.
none: No access.
read: Read access.
read-write: Read/write access.
option -
admintimeout-override Enable/disable overriding the global administrator idle timeout.
enable: Enable overriding the global administrator idle timeout.
disable: Disable overriding the global administrator idle timeout.
option -
admintimeout Administrator timeout for this access profile (0 - 480 min, default = 10, 0 means never timeout). integer Minimum value: 1 Maximum value: 480

config netgrp-permission

Parameter Name Description Type Size
cfg Network Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -
packet-capture Packet Capture Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -
route-cfg Router Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -

config sysgrp-permission

Parameter Name Description Type Size
admin Administrator Users.
none: No access.
read: Read access.
read-write: Read/write access.
option -
upd FortiGuard Updates.
none: No access.
read: Read access.
read-write: Read/write access.
option -
cfg System Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -
mnt Maintenance.
none: No access.
read: Read access.
read-write: Read/write access.
option -

config fwgrp-permission

Parameter Name Description Type Size
policy Policy Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -
address Address Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -
service Service Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -
schedule Schedule Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -

config loggrp-permission

Parameter Name Description Type Size
config Log & Report configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -
data-access Log & Report Data Access.
none: No access.
read: Read access.
read-write: Read/write access.
option -
report-access Log & Report Report Access.
none: No access.
read: Read access.
read-write: Read/write access.
option -
threat-weight Log & Report Threat Weight.
none: No access.
read: Read access.
read-write: Read/write access.
option -

config utmgrp-permission

Parameter Name Description Type Size
antivirus Antivirus profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
ips IPS profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
webfilter Web Filter profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
emailfilter AntiSpam filter and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
data-loss-prevention DLP profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
application-control Application Control profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
icap ICAP profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
voip VoIP profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
waf Web Application Firewall profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
dnsfilter DNS Filter profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
endpoint-control FortiClient Profiles.
none: No access.
read: Read access.
read-write: Read/write access.
option -

Configure access profiles for system administrators.

  config system accprofile
      Description: Configure access profiles for system administrators.
      edit <name>
          set scope [vdom|global]
          set comments {var-string}
          set secfabgrp [none|read|...]
          set ftviewgrp [none|read|...]
          set authgrp [none|read|...]
          set sysgrp [none|read|...]
          set netgrp [none|read|...]
          set loggrp [none|read|...]
          set fwgrp [none|read|...]
          set vpngrp [none|read|...]
          set utmgrp [none|read|...]
          set wanoptgrp [none|read|...]
          set wifi [none|read|...]
          config netgrp-permission
              Description: Custom network permission.
              set cfg [none|read|...]
              set packet-capture [none|read|...]
              set route-cfg [none|read|...]
          end
          config sysgrp-permission
              Description: Custom system permission.
              set admin [none|read|...]
              set upd [none|read|...]
              set cfg [none|read|...]
              set mnt [none|read|...]
          end
          config fwgrp-permission
              Description: Custom firewall permission.
              set policy [none|read|...]
              set address [none|read|...]
              set service [none|read|...]
              set schedule [none|read|...]
          end
          config loggrp-permission
              Description: Custom Log & Report permission.
              set config [none|read|...]
              set data-access [none|read|...]
              set report-access [none|read|...]
              set threat-weight [none|read|...]
          end
          config utmgrp-permission
              Description: Custom Security Profile permissions.
              set antivirus [none|read|...]
              set ips [none|read|...]
              set webfilter [none|read|...]
              set emailfilter [none|read|...]
              set data-loss-prevention [none|read|...]
              set application-control [none|read|...]
              set icap [none|read|...]
              set voip [none|read|...]
              set waf [none|read|...]
              set dnsfilter [none|read|...]
              set endpoint-control [none|read|...]
          end
          set admintimeout-override [enable|disable]
          set admintimeout {integer}
      next
  end

config system accprofile

Parameter Name Description Type Size
scope Scope of admin access: global or specific VDOM(s).
vdom: VDOM access.
global: Global access.
option -
comments Comment. var-string Maximum length: 255
secfabgrp Security Fabric.
none: No access.
read: Read access.
read-write: Read/write access.
option -
ftviewgrp FortiView.
none: No access.
read: Read access.
read-write: Read/write access.
option -
authgrp Administrator access to Users and Devices.
none: No access.
read: Read access.
read-write: Read/write access.
option -
sysgrp System Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
custom: Customized access.
option -
netgrp Network Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
custom: Customized access.
option -
loggrp Administrator access to Logging and Reporting including viewing log messages.
none: No access.
read: Read access.
read-write: Read/write access.
custom: Customized access.
option -
fwgrp Administrator access to the Firewall configuration.
none: No access.
read: Read access.
read-write: Read/write access.
custom: Customized access.
option -
vpngrp Administrator access to IPsec, SSL, PPTP, and L2TP VPN.
none: No access.
read: Read access.
read-write: Read/write access.
option -
utmgrp Administrator access to Security Profiles.
none: No access.
read: Read access.
read-write: Read/write access.
custom: Customized access.
option -
wanoptgrp Administrator access to WAN Opt & Cache.
none: No access.
read: Read access.
read-write: Read/write access.
option -
wifi Administrator access to the WiFi controller and Switch controller.
none: No access.
read: Read access.
read-write: Read/write access.
option -
admintimeout-override Enable/disable overriding the global administrator idle timeout.
enable: Enable overriding the global administrator idle timeout.
disable: Disable overriding the global administrator idle timeout.
option -
admintimeout Administrator timeout for this access profile (0 - 480 min, default = 10, 0 means never timeout). integer Minimum value: 1 Maximum value: 480

config netgrp-permission

Parameter Name Description Type Size
cfg Network Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -
packet-capture Packet Capture Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -
route-cfg Router Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -

config sysgrp-permission

Parameter Name Description Type Size
admin Administrator Users.
none: No access.
read: Read access.
read-write: Read/write access.
option -
upd FortiGuard Updates.
none: No access.
read: Read access.
read-write: Read/write access.
option -
cfg System Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -
mnt Maintenance.
none: No access.
read: Read access.
read-write: Read/write access.
option -

config fwgrp-permission

Parameter Name Description Type Size
policy Policy Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -
address Address Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -
service Service Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -
schedule Schedule Configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -

config loggrp-permission

Parameter Name Description Type Size
config Log & Report configuration.
none: No access.
read: Read access.
read-write: Read/write access.
option -
data-access Log & Report Data Access.
none: No access.
read: Read access.
read-write: Read/write access.
option -
report-access Log & Report Report Access.
none: No access.
read: Read access.
read-write: Read/write access.
option -
threat-weight Log & Report Threat Weight.
none: No access.
read: Read access.
read-write: Read/write access.
option -

config utmgrp-permission

Parameter Name Description Type Size
antivirus Antivirus profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
ips IPS profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
webfilter Web Filter profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
emailfilter AntiSpam filter and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
data-loss-prevention DLP profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
application-control Application Control profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
icap ICAP profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
voip VoIP profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
waf Web Application Firewall profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
dnsfilter DNS Filter profiles and settings.
none: No access.
read: Read access.
read-write: Read/write access.
option -
endpoint-control FortiClient Profiles.
none: No access.
read: Read access.
read-write: Read/write access.
option -