system accprofile

system accprofile

Use this command to configure access profiles that, in conjunction with the domain or system-wide access level, govern whether or not an administrator account has permissions to view, change, or use features in each functional area. For details, see the FortiMail Administration Guide.

Most permissions in the CLI align with equivalent menus in the GUI.

Access control area name		Grants access to... For each `config` command, there is an equivalent `get`/`show` command, unless otherwise noted. `config` access requires write permission. `get`/`show` access requires read permission.
In the GUI	In the CLI
Policy	policy	Monitor > Mail Queue ... Monitor > Greylist ... Monitor > Reputation > Sender Reputation Domain & User > Domain > Domain System > Mail Setting > Proxies Domain & User > User ... Policy ... Profile... AntiSpam > Greylist ... AntiSpam > Bounce Verification > Settings AntiSpam > Endpoint Reputation ... AntiSpam > Bayesian ...
Policy	policy	config antispam greylist exempt config antispam bounce-verification key config antispam settings config antispam trusted ... config domain config mailsetting proxy-smtp config policy ... config profile ... config user ... diagnose ... execute ... config mailsetting relayserver
Block/Safelist	block-safe-list	Monitor > Endpoint Reputation > Auto blocklist Maintenance > AntiSpam > Block/Safelist Maintenance AntiSpam > Block/Safelist ...
Block/Safelist	block-safe-list	diagnose ... execute ... get system status get system raid-performance get system performance
Quarantine	quarantine	Monitor > Quarantine ... AntiSpam > Quarantine > Quarantine Report AntiSpam > Quarantine > System Quarantine Setting AntiSpam > Quarantine > Control Account
Quarantine	quarantine	diagnose ... execute ... config antispam quarantine-report config mailsetting systemquarantine
Others	others	Monitor > System Status ... Monitor > Archive > Email Archives Monitor > Log ... Monitor > Report ... Maintenance ... except the Block/Safelist Maintenance tab System ... Mail Settings > Settings ... Mail Settings > Address Book > Address Book User > User Alias > User Alias User > Address Map > Address Map Email Archiving ... Log and Report ...
Others	others	config archive ... config log ... config mailsetting relayserver config mailsetting storage config report config system ... config user alias config user map diagnose ... execute ... get system status

Syntax

config system accprofile

edit <profile_name>

[set comment "<description_str>"]

config menuitem

edit {archive_grp | cluster_grp | content_grp | dashboard_grp | domain_grp | encryption_grp | fortiview_grp | log_grp | monitor_grp | ms365_grp | others_grp | policy_grp | profile_grp | security_grp | system_grp}

set permission {custom | none | read | read-write}

set content-detail {enable | disable}

end

set granular-group {all}

set privilege-level {high | low | medium}

set system-diagnostics {enable | disable}

set system-quarantine-folder {none | read | read-write}

end

Variable	Description	Default
<profile_name>	Enter the name of the access profile.
comment "<description_str>"	Enter a descriptive comment.
{archive_grp \| cluster_grp \| content_grp \| dashboard_grp \| domain_grp \| encryption_grp \| fortiview_grp \| log_grp \| monitor_grp \| ms365_grp \| others_grp \| policy_grp \| profile_grp \| security_grp \| system_grp}	Enter the name of the functional area that you want to grant permissions for. For example, SAML SSO settings are in multiple areas of the CLI and GUI. Therefore administrators that configure SSO require `read-write` or `read-update` permissions for all of these: `domain_grp` `profile_grp` `system_grp`
permission {custom \| none \| read \| read-write}	Grant a permission for features in the functional area. `read-update` is like `read-write`, except new tables (profiles etc.) cannot be created and existing ones cannot be deleted.	none
content-detail {enable \| disable}	Enable or disable administrators with Read privileges or better to be able to view email contents. Note: This setting is only available for `archive_grp`.	enable
granular-group {all}	Enter the permission for granular control.	all
privilege-level {high \| low \| medium}	Set the access profile's privilege level. Administrators with a `low` privilege level cannot use `diagnose` or `config system` CLI commands.	medium
system-diagnostics {enable \| disable}	Enable or disable permission to run system diagnostic commands.	enable
system-quarantine-folder {none \| read \| read-write}	For system quarantine, enter the permissions that will be granted to administrator accounts associated with this access profile.	none

Related topics

system admin

system accprofile

Most permissions in the CLI align with equivalent menus in the GUI.

Access control area name		Grants access to... For each `config` command, there is an equivalent `get`/`show` command, unless otherwise noted. `config` access requires write permission. `get`/`show` access requires read permission.
In the GUI	In the CLI
Policy	policy	Monitor > Mail Queue ... Monitor > Greylist ... Monitor > Reputation > Sender Reputation Domain & User > Domain > Domain System > Mail Setting > Proxies Domain & User > User ... Policy ... Profile... AntiSpam > Greylist ... AntiSpam > Bounce Verification > Settings AntiSpam > Endpoint Reputation ... AntiSpam > Bayesian ...
Policy	policy	config antispam greylist exempt config antispam bounce-verification key config antispam settings config antispam trusted ... config domain config mailsetting proxy-smtp config policy ... config profile ... config user ... diagnose ... execute ... config mailsetting relayserver
Block/Safelist	block-safe-list	Monitor > Endpoint Reputation > Auto blocklist Maintenance > AntiSpam > Block/Safelist Maintenance AntiSpam > Block/Safelist ...
Block/Safelist	block-safe-list	diagnose ... execute ... get system status get system raid-performance get system performance
Quarantine	quarantine	Monitor > Quarantine ... AntiSpam > Quarantine > Quarantine Report AntiSpam > Quarantine > System Quarantine Setting AntiSpam > Quarantine > Control Account
Quarantine	quarantine	diagnose ... execute ... config antispam quarantine-report config mailsetting systemquarantine
Others	others	Monitor > System Status ... Monitor > Archive > Email Archives Monitor > Log ... Monitor > Report ... Maintenance ... except the Block/Safelist Maintenance tab System ... Mail Settings > Settings ... Mail Settings > Address Book > Address Book User > User Alias > User Alias User > Address Map > Address Map Email Archiving ... Log and Report ...
Others	others	config archive ... config log ... config mailsetting relayserver config mailsetting storage config report config system ... config user alias config user map diagnose ... execute ... get system status

Syntax

config system accprofile

edit <profile_name>

[set comment "<description_str>"]

config menuitem

set permission {custom | none | read | read-write}

set content-detail {enable | disable}

end

set granular-group {all}

set privilege-level {high | low | medium}

set system-diagnostics {enable | disable}

set system-quarantine-folder {none | read | read-write}

end

Variable	Description	Default
<profile_name>	Enter the name of the access profile.
comment "<description_str>"	Enter a descriptive comment.
{archive_grp \| cluster_grp \| content_grp \| dashboard_grp \| domain_grp \| encryption_grp \| fortiview_grp \| log_grp \| monitor_grp \| ms365_grp \| others_grp \| policy_grp \| profile_grp \| security_grp \| system_grp}	Enter the name of the functional area that you want to grant permissions for. For example, SAML SSO settings are in multiple areas of the CLI and GUI. Therefore administrators that configure SSO require `read-write` or `read-update` permissions for all of these: `domain_grp` `profile_grp` `system_grp`
permission {custom \| none \| read \| read-write}	Grant a permission for features in the functional area. `read-update` is like `read-write`, except new tables (profiles etc.) cannot be created and existing ones cannot be deleted.	none
content-detail {enable \| disable}	Enable or disable administrators with Read privileges or better to be able to view email contents. Note: This setting is only available for `archive_grp`.	enable
granular-group {all}	Enter the permission for granular control.	all
privilege-level {high \| low \| medium}	Set the access profile's privilege level. Administrators with a `low` privilege level cannot use `diagnose` or `config system` CLI commands.	medium
system-diagnostics {enable \| disable}	Enable or disable permission to run system diagnostic commands.	enable
system-quarantine-folder {none \| read \| read-write}	For system quarantine, enter the permissions that will be granted to administrator accounts associated with this access profile.	none

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference