system accprofile
Use this command to configure access profiles that, in conjunction with the domain or system-wide access level, govern whether or not an administrator account has permissions to view, change, or use features in each functional area. For details, see the FortiMail Administration Guide.
Syntax
config system accprofile
edit <profile_name>
set comment <description_str>
config menuitem
edit {archive_grp | cluster_grp | content_grp | dashboard_grp | domain_grp | encryption_grp | fortiview_grp | log_grp | monitor_grp | ms365_grp | others_grp | policy_grp | profile_grp | security_grp | system_grp}
set permission {custom | none | read | read-write}
set content-detail {enable | disable}
next
end
set granular-group {all}
set privilege-level {high | low | medium}
set system-diagnostics {enable | disable}
set system-quarantine-folder {none | read | read-write}
end
<profile_name>
|
Enter the name of the access profile.
|
|
comment <description_str>
|
Enter a descriptive comment.
|
|
{archive_grp | cluster_grp | content_grp | dashboard_grp | domain_grp | encryption_grp | fortiview_grp | log_grp | monitor_grp | ms365_grp | others_grp | policy_grp | profile_grp | security_grp | system_grp}
|
Enter the name of the functional area that you want to grant permissions for.
For example, SAML SSO settings are in multiple areas of the CLI and GUI. Therefore administrators that configure SSO require read-write or read-update permissions for all of these:
domain_grp
profile_grp
system_grp
|
|
permission {custom | none | read | read-write}
|
Grant a permission for features in the functional area.
read-update is like read-write , except new tables (profiles etc.) cannot be created and existing ones cannot be deleted.
|
none
|
content-detail {enable | disable}
|
Enable or disable administrators with Read privileges or better to be able to view email contents.
Note: This setting is only available for archive_grp .
|
enable
|
granular-group {all}
|
Enter the permission for granular control.
|
all
|
privilege-level {high | low | medium}
|
Set the access profile's privilege level.
Administrators with a low privilege level cannot use diagnose or config system CLI commands.
|
medium
|
system-diagnostics {enable | disable}
|
Enable or disable permission to run system diagnostic commands.
|
enable
|
system-quarantine-folder {none | read | read-write}
|
For system quarantine, enter the permissions that will be granted to administrator accounts associated with this access profile.
|
none
|
Related topics
system admin