Fortinet black logo

Cookbook

Administrator profiles

Copy Link
Copy Doc ID 5ede200c-a21f-11eb-b70b-00505692583a:294491
Download PDF

Administrator profiles

Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an administrator account, you also assign an administrator profile which dictates what the administrator sees. Depending on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much or as little as is required.

By default, the FortiGate has an admin administrator account that uses the super_admin profile.

Super_admin profile

This profile has access to all components of FortiOS, including the ability to add and remove other system administrators. For certain administrative functions, such as backing up and restoring the configuration, super_admin access is required. To ensure that there is always a method to administer the FortiGate, the super_admin profile can't be deleted or modified.

Note

Lower level administrator profiles can't backup or restore the FortiOS configuration.

The super_admin profile is used by the default admin account. It is recommended that you add a password and rename this account once you have set up your FortiGate. In order to rename the default account, a second admin account is required.

Creating customized profiles

To create a profile in the GUI:
  1. Go to System > Admin Profiles.
  2. Select Create New.
  3. Configure the following settings:
    • Name.
    • Access permissions.
    • Override idle timeout.
  4. Select OK.
To create a profile in the CLI:
config system accprofile
    edit "sample"
        set secfabgrp read-write
        set ftviewgrp read-write
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wanoptgrp read-write
        set wifi read-write
    next
end

Edit profiles

To edit a profile in the GUI:
  1. Go to System > Admin Profiles.
  2. Choose the profile to be edited and select Edit.
  3. Select OK to save any changes made.
To edit a profile in the CLI:
config system accprofile
    edit "sample"
        set secfabgrp read
    next
end

Delete profiles

To delete a profile in the GUI:
  1. Go to System > Admin Profiles.
  2. Choose the profile to be deleted and select Delete.
  3. Select OK.
To delete a profile in the CLI:
config system accprofile
    delete "sample"
end

Administrator profiles

Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an administrator account, you also assign an administrator profile which dictates what the administrator sees. Depending on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much or as little as is required.

By default, the FortiGate has an admin administrator account that uses the super_admin profile.

Super_admin profile

This profile has access to all components of FortiOS, including the ability to add and remove other system administrators. For certain administrative functions, such as backing up and restoring the configuration, super_admin access is required. To ensure that there is always a method to administer the FortiGate, the super_admin profile can't be deleted or modified.

Note

Lower level administrator profiles can't backup or restore the FortiOS configuration.

The super_admin profile is used by the default admin account. It is recommended that you add a password and rename this account once you have set up your FortiGate. In order to rename the default account, a second admin account is required.

Creating customized profiles

To create a profile in the GUI:
  1. Go to System > Admin Profiles.
  2. Select Create New.
  3. Configure the following settings:
    • Name.
    • Access permissions.
    • Override idle timeout.
  4. Select OK.
To create a profile in the CLI:
config system accprofile
    edit "sample"
        set secfabgrp read-write
        set ftviewgrp read-write
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wanoptgrp read-write
        set wifi read-write
    next
end

Edit profiles

To edit a profile in the GUI:
  1. Go to System > Admin Profiles.
  2. Choose the profile to be edited and select Edit.
  3. Select OK to save any changes made.
To edit a profile in the CLI:
config system accprofile
    edit "sample"
        set secfabgrp read
    next
end

Delete profiles

To delete a profile in the GUI:
  1. Go to System > Admin Profiles.
  2. Choose the profile to be deleted and select Delete.
  3. Select OK.
To delete a profile in the CLI:
config system accprofile
    delete "sample"
end