Fortinet white logo
Fortinet white logo

CLI Reference

system accprofile

system accprofile

Use this command to configure access profiles that, in conjunction with the domain to which an administrator account is assigned, govern which areas of the web-based manager and CLI that an administrator can access, and whether or not they have the permissions necessary to change the configuration or otherwise modify items in each area.

Syntax

config system accprofile

edit <profile_name>

config menuitem

edit <name>

set permission {custom | none | read | read-write}

set content-detail {enable | disable}

next

end

set admin {none | read | read-write}

set archive {none | read | read-write}

set block-safe-list {none | read | read-write}

set granular-group {all}

set greylist {none | read | read-write}

set log {none | read | read-write}

set ms365 {none | read | read-write}

set others {none | read | read-write}

set personal-quarantine {none | read | read-write}

set policy {none | read | read-write}

set privilege-level {high | low | medium}

set queue {none | read | read-write}

set system {none | read | read-write}

set system-diagnostics {enable | disable}

set system-quarantine {none | read | read-write}

end

Variable

Description

Default

<profile_name>

Enter the name of the access profile.

<name>

Enter the name of the menu item you wish to configure administrative permissions:

  • archive_grp

  • cluster_grp

  • content_grp

  • dashboard_grp

  • domain_grp

  • encryption_grp

  • fortiview_grp

  • log_grp

  • monitor_grp

  • ms365_grp

  • others_grp

  • policy_grp

  • profile_grp

  • security_grp

  • system_grp

permission {custom | none | read | read-write}

Apply a permission across all access control configurations.

none

content-detail {enable | disable}

Note that this is only available for archive_grp.

enable

admin {none | read | read-write}

For the admin configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

archive {none | read | read-write}

For the archiving configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

block-safe-list {none | read | read-write}

For the block and safelist configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

granular-group {all}

Access permission for granular control.

all

greylist {none | read | read-write}

For the greylist configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

log {none | read | read-write}

For the log configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

ms365 {none | read | read-write}

For the Microsoft 365 configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

others {none | read | read-write}

For the rest of the configurations except policy, block-safe-list, and quarantine, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

personal-quarantine {none | read | read-write}

For personal quarantine, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

policy {none | read | read-write}

For the policy configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

privilege-level {high | low | medium}

Set the access profile's privilege level.

Any administrators assigned a low privilege level cannot run diagnose or config system commands.

medium

queue {none | read | read-write}

For the queue configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

system {none | read | read-write}

For system settings, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

system-diagnostics {enable | disable}

Enable or disable permission to run system diagnostic commands.

enable

system-quarantine {none | read | read-write}

For system quarantine, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

Related topics

system admin

system accprofile

system accprofile

Use this command to configure access profiles that, in conjunction with the domain to which an administrator account is assigned, govern which areas of the web-based manager and CLI that an administrator can access, and whether or not they have the permissions necessary to change the configuration or otherwise modify items in each area.

Syntax

config system accprofile

edit <profile_name>

config menuitem

edit <name>

set permission {custom | none | read | read-write}

set content-detail {enable | disable}

next

end

set admin {none | read | read-write}

set archive {none | read | read-write}

set block-safe-list {none | read | read-write}

set granular-group {all}

set greylist {none | read | read-write}

set log {none | read | read-write}

set ms365 {none | read | read-write}

set others {none | read | read-write}

set personal-quarantine {none | read | read-write}

set policy {none | read | read-write}

set privilege-level {high | low | medium}

set queue {none | read | read-write}

set system {none | read | read-write}

set system-diagnostics {enable | disable}

set system-quarantine {none | read | read-write}

end

Variable

Description

Default

<profile_name>

Enter the name of the access profile.

<name>

Enter the name of the menu item you wish to configure administrative permissions:

  • archive_grp

  • cluster_grp

  • content_grp

  • dashboard_grp

  • domain_grp

  • encryption_grp

  • fortiview_grp

  • log_grp

  • monitor_grp

  • ms365_grp

  • others_grp

  • policy_grp

  • profile_grp

  • security_grp

  • system_grp

permission {custom | none | read | read-write}

Apply a permission across all access control configurations.

none

content-detail {enable | disable}

Note that this is only available for archive_grp.

enable

admin {none | read | read-write}

For the admin configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

archive {none | read | read-write}

For the archiving configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

block-safe-list {none | read | read-write}

For the block and safelist configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

granular-group {all}

Access permission for granular control.

all

greylist {none | read | read-write}

For the greylist configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

log {none | read | read-write}

For the log configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

ms365 {none | read | read-write}

For the Microsoft 365 configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

others {none | read | read-write}

For the rest of the configurations except policy, block-safe-list, and quarantine, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

personal-quarantine {none | read | read-write}

For personal quarantine, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

policy {none | read | read-write}

For the policy configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

privilege-level {high | low | medium}

Set the access profile's privilege level.

Any administrators assigned a low privilege level cannot run diagnose or config system commands.

medium

queue {none | read | read-write}

For the queue configuration, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

system {none | read | read-write}

For system settings, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

system-diagnostics {enable | disable}

Enable or disable permission to run system diagnostic commands.

enable

system-quarantine {none | read | read-write}

For system quarantine, enter the permissions that will be granted to administrator accounts associated with this access profile.

none

Related topics

system admin