Fortinet black logo

CLI Reference

Permissions

Permissions

Depending on the account that you use to log in to the FortiMail unit, you may not have complete access to all CLI commands or areas of the web UI.

Access profiles and domain assignments together control which commands and areas an administrator account can access. Permissions result from an interaction of the two.

The domain to which an administrator is assigned can be either:

  • System: Can access areas regardless of whether an item pertains to the FortiMail unit itself or to a protected domain. The administrator’s permissions are restricted only by his or her access profile.
  • A protected domain: Can only access areas that are specifically assigned to that protected domain. The administrator cannot access system-wide settings, files or statistics, nor most settings that can affect other protected domains, regardless of whether access to those items would otherwise be allowed by his or her access profile. The administrator cannot access the CLI, nor the basic mode of the web UI (For more information on the display modes of the GUI, see the FortiMail Administration Guide).

IP-based policies, the global blocklist, and the global safelist, the blocklist action, and the global Bayesian database are exceptions to this rule. Domain administrators can configure them, regardless of the fact that they could affect other domains. If you do not want to allow this, do not provide Read-Write permission to those categories in domain administrators’ access profiles.

Areas of the GUI (advanced mode) that cannot be accessed by domain administrators:
  • System > Maintenance
  • Monitor except for the Personal quarantine tab
  • System except for the Administrator tab
  • System > Mail Settings except for the domain, its subdomains, and associated domains
  • Domain & User > User > PKI User
  • Policy > Access Control > Receiving
  • Policy > Access Control > Delivery
  • Profile > Authentication
  • Profile > AntiSpam
  • Email Archiving
  • Log & Report

Access profiles assign either read, write, or no access to each area of the FortiMail software. To view configurations, you must have read access. To make changes, you must have write access. For more information on configuring an access profile that administrator accounts can use, see sensitive data.

There are three possible permission types for an administrator account:

  • Administrator (also known as all)
  • Read & Write
  • Read Only
Administrator account permissions by domain assignment:

Permission

Domain: system

Domain: example.com

Administrator

  • Can create, view and change all other administrator accounts except the admin administrator account
  • Can view and change all parts of the FortiMail unit’s configuration, including uploading configuration backup files and restoring firmware default settings.
  • Can release and delete quarantined email messages for all protected domains.
  • Can back up and restore databases.
  • Can manually update firmware and antivirus definitions.
  • Can restart and shut down the FortiMail unit.
  • Can create, view and change other administrator accounts with Read & Write and Read Only permissions in its own protected domain.
  • Can only view and change settings, including profiles and policies, in its own protected domain.
  • Can only view profiles and policies created by an administrator whose Domain is system.
  • Can be only one per protected domain.

Read & Write

  • Can only view and change its own administrator account.
  • Can view and change parts of the FortiMail unit’s configuration at the system and protected domain levels.
  • Can release and delete quarantined email messages for all protected domains.
  • Can back up and restore databases.
  • Can only view and change its own administrator account.
  • Can only view and change parts of the FortiMail unit’s configuration in its own protected domain.
  • Can only view profiles and policies created by an administrator whose Domain is system.
  • Can release and delete quarantined email messages in its own protected domain.

Read Only

  • Can only view and change its own administrator account.
  • Can view the FortiMail unit configuration at the system and protected domain levels
  • Can release and delete quarantined email messages for all protected domains.
  • Can back up databases.
  • Can only view and change its own administrator account.
  • Can only view settings in its own protected domain.
  • Can only view profiles and policies created by an administrator whose Domain is system.
Areas of control in access profiles:

Access control area name

Grants access to...

For each config command, there is an equivalent get/show command, unless otherwise noted.

config access requires write permission.
get/show access requires read permission.

In the web UI

In the CLI

Policy

policy

Monitor > Mail Queue ...

Monitor > Greylist ...

Monitor > Reputation > Sender Reputation

Domain & User > Domain > Domain

System > Mail Setting > Proxies

Domain & User > User ...

Policy ...

Profile ...

AntiSpam > Greylist ...

AntiSpam > Bounce Verification > Settings

AntiSpam > Endpoint Reputation ...

AntiSpam > Bayesian ...

config antispam greylist exempt

config antispam bounce-verification key

config antispam settings

config antispam trusted ...

config domain

config mailsetting proxy-smtp

config policy ...

config profile ...

config user ...

diagnose ...

execute ...

config mailsetting relayserver

Block/Safelist

block-safe-list

Monitor > Endpoint Reputation > Auto blocklist

Maintenance > AntiSpam > Block/Safelist Maintenance

AntiSpam > Block/Safelist ...

N/A

diagnose ...

execute ...

get system status

get system raid-performance

get system performance

Quarantine

quarantine

Monitor > Quarantine ...

AntiSpam > Quarantine > Quarantine Report

AntiSpam > Quarantine > System Quarantine Setting

AntiSpam > Quarantine > Control Account

diagnose ...

execute ...

config antispam quarantine-report

config mailsetting systemquarantine

Others

others

Monitor > System Status ...

Monitor > Archive > Email Archives

Monitor > Log ...

Monitor > Report ...

Maintenance ... except the Block/Safelist Maintenance tab

System ...

Mail Settings > Settings ...

Mail Settings > Address Book > Address Book

User > User Alias > User Alias

User > Address Map > Address Map

Email Archiving ...

Log and Report ...

config archive ...

config log ...

config mailsetting relayserver

config mailsetting storage

config report

config system ...

config user alias

config user map

diagnose ...

execute ...

get system status

Unlike other administrator accounts whose Access profile is super_admin_prof and Domain is System, the admin administrator account exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. This administrator account always has full permission to view and change all FortiMail configuration options, including viewing and changing all other administrator accounts. It is the only administrator account that can reset another administrator’s password without being required to enter the existing password. As such, it is the only account that can reset another administrator’s password if that administrator forgets his or her password. Its name, permissions, and assignment to the System domain cannot be changed.

Set a strong password for the admin administrator account, and change the password regularly. By default, this administrator account has no password. Failure to maintain the password of the admin administrator account could compromise the security of your FortiMail unit.

For complete access to all commands, you must log in with the administrator account named admin. For access to the CLI, you must log in with a System-level administrator account.

Permissions

Depending on the account that you use to log in to the FortiMail unit, you may not have complete access to all CLI commands or areas of the web UI.

Access profiles and domain assignments together control which commands and areas an administrator account can access. Permissions result from an interaction of the two.

The domain to which an administrator is assigned can be either:

  • System: Can access areas regardless of whether an item pertains to the FortiMail unit itself or to a protected domain. The administrator’s permissions are restricted only by his or her access profile.
  • A protected domain: Can only access areas that are specifically assigned to that protected domain. The administrator cannot access system-wide settings, files or statistics, nor most settings that can affect other protected domains, regardless of whether access to those items would otherwise be allowed by his or her access profile. The administrator cannot access the CLI, nor the basic mode of the web UI (For more information on the display modes of the GUI, see the FortiMail Administration Guide).

IP-based policies, the global blocklist, and the global safelist, the blocklist action, and the global Bayesian database are exceptions to this rule. Domain administrators can configure them, regardless of the fact that they could affect other domains. If you do not want to allow this, do not provide Read-Write permission to those categories in domain administrators’ access profiles.

Areas of the GUI (advanced mode) that cannot be accessed by domain administrators:
  • System > Maintenance
  • Monitor except for the Personal quarantine tab
  • System except for the Administrator tab
  • System > Mail Settings except for the domain, its subdomains, and associated domains
  • Domain & User > User > PKI User
  • Policy > Access Control > Receiving
  • Policy > Access Control > Delivery
  • Profile > Authentication
  • Profile > AntiSpam
  • Email Archiving
  • Log & Report

Access profiles assign either read, write, or no access to each area of the FortiMail software. To view configurations, you must have read access. To make changes, you must have write access. For more information on configuring an access profile that administrator accounts can use, see sensitive data.

There are three possible permission types for an administrator account:

  • Administrator (also known as all)
  • Read & Write
  • Read Only
Administrator account permissions by domain assignment:

Permission

Domain: system

Domain: example.com

Administrator

  • Can create, view and change all other administrator accounts except the admin administrator account
  • Can view and change all parts of the FortiMail unit’s configuration, including uploading configuration backup files and restoring firmware default settings.
  • Can release and delete quarantined email messages for all protected domains.
  • Can back up and restore databases.
  • Can manually update firmware and antivirus definitions.
  • Can restart and shut down the FortiMail unit.
  • Can create, view and change other administrator accounts with Read & Write and Read Only permissions in its own protected domain.
  • Can only view and change settings, including profiles and policies, in its own protected domain.
  • Can only view profiles and policies created by an administrator whose Domain is system.
  • Can be only one per protected domain.

Read & Write

  • Can only view and change its own administrator account.
  • Can view and change parts of the FortiMail unit’s configuration at the system and protected domain levels.
  • Can release and delete quarantined email messages for all protected domains.
  • Can back up and restore databases.
  • Can only view and change its own administrator account.
  • Can only view and change parts of the FortiMail unit’s configuration in its own protected domain.
  • Can only view profiles and policies created by an administrator whose Domain is system.
  • Can release and delete quarantined email messages in its own protected domain.

Read Only

  • Can only view and change its own administrator account.
  • Can view the FortiMail unit configuration at the system and protected domain levels
  • Can release and delete quarantined email messages for all protected domains.
  • Can back up databases.
  • Can only view and change its own administrator account.
  • Can only view settings in its own protected domain.
  • Can only view profiles and policies created by an administrator whose Domain is system.
Areas of control in access profiles:

Access control area name

Grants access to...

For each config command, there is an equivalent get/show command, unless otherwise noted.

config access requires write permission.
get/show access requires read permission.

In the web UI

In the CLI

Policy

policy

Monitor > Mail Queue ...

Monitor > Greylist ...

Monitor > Reputation > Sender Reputation

Domain & User > Domain > Domain

System > Mail Setting > Proxies

Domain & User > User ...

Policy ...

Profile ...

AntiSpam > Greylist ...

AntiSpam > Bounce Verification > Settings

AntiSpam > Endpoint Reputation ...

AntiSpam > Bayesian ...

config antispam greylist exempt

config antispam bounce-verification key

config antispam settings

config antispam trusted ...

config domain

config mailsetting proxy-smtp

config policy ...

config profile ...

config user ...

diagnose ...

execute ...

config mailsetting relayserver

Block/Safelist

block-safe-list

Monitor > Endpoint Reputation > Auto blocklist

Maintenance > AntiSpam > Block/Safelist Maintenance

AntiSpam > Block/Safelist ...

N/A

diagnose ...

execute ...

get system status

get system raid-performance

get system performance

Quarantine

quarantine

Monitor > Quarantine ...

AntiSpam > Quarantine > Quarantine Report

AntiSpam > Quarantine > System Quarantine Setting

AntiSpam > Quarantine > Control Account

diagnose ...

execute ...

config antispam quarantine-report

config mailsetting systemquarantine

Others

others

Monitor > System Status ...

Monitor > Archive > Email Archives

Monitor > Log ...

Monitor > Report ...

Maintenance ... except the Block/Safelist Maintenance tab

System ...

Mail Settings > Settings ...

Mail Settings > Address Book > Address Book

User > User Alias > User Alias

User > Address Map > Address Map

Email Archiving ...

Log and Report ...

config archive ...

config log ...

config mailsetting relayserver

config mailsetting storage

config report

config system ...

config user alias

config user map

diagnose ...

execute ...

get system status

Unlike other administrator accounts whose Access profile is super_admin_prof and Domain is System, the admin administrator account exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. This administrator account always has full permission to view and change all FortiMail configuration options, including viewing and changing all other administrator accounts. It is the only administrator account that can reset another administrator’s password without being required to enter the existing password. As such, it is the only account that can reset another administrator’s password if that administrator forgets his or her password. Its name, permissions, and assignment to the System domain cannot be changed.

Set a strong password for the admin administrator account, and change the password regularly. By default, this administrator account has no password. Failure to maintain the password of the admin administrator account could compromise the security of your FortiMail unit.

For complete access to all commands, you must log in with the administrator account named admin. For access to the CLI, you must log in with a System-level administrator account.