Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    8.0.0
    8.0.0
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    system accprofile

    system accprofile

    Use this command to configure administrator access profiles that, in conjunction with an administrator's level {domain | domain-group | system}, govern whether or not an administrator account has permissions to view, change, or use features in each functional area.

    Note

    The predefined access profile named super_admin_prof is required by the administrator account named admin, and cannot be deleted.

    Syntax

    config system accprofile

    edit <profile_name>

    [set comment "<comment_str>"]

    set privilege-level {high | medium | low}

    set system-diagnostics {enable | disable}

    config menuitem

    edit {archive_grp | cluster_grp | content_grp | dashboard_grp | domain_grp | encryption_grp | fortiview_grp | log_grp | monitor_grp | ms365_grp | others_grp | policy_grp | profile_grp | security_grp | system_grp}

    set permission {custom | none | read | read-update | read-write}

    set content-detail {enable | disable}

    next

    end

    set system-quarantine-folder {Bulk Content Dlp Virus PersonalOut Content_PasswordProtected ...}

    end

    Variable

    Description

    Default

    <profile_name>

    Enter the name of the profile.

    comment "<comment_str>"

    Enter a description or comment.

    {archive_grp | cluster_grp | content_grp | dashboard_grp | domain_grp | encryption_grp | fortiview_grp | log_grp | monitor_grp | ms365_grp | others_grp | policy_grp | profile_grp | security_grp | system_grp}

    Enter the name of the functional area that you want to grant permissions for. Functional areas correspond approximately to GUI navigation menus and REST API or CLI objects.

    When permission {custom | none | read | read-update | read-write} is custom for a functional area, then its associated sub-areas also will become available so that you can customize their permissions. To view all currently available functional areas, enter:

    edit ?

    Tooltip

    Multiple different functional areas sometimes have settings together in one CLI or REST API object (for example, config system global). The greatest permission granted will apply to all settings in the object.

    If you want a more strict access control that prevents that, then configure a network interface with allowaccess {ping http https snmp ssh telnet} that only allows HTTPS (GUI), and require restricted administrators to log in using that interface only. (Do not use each administrator's access {cli gui rest} to disable CLI and REST API access; they can change their own setting if they have read-write or read-update access to the System functional area.)

    permission {custom | none | read | read-update | read-write}

    Select which action to grant permission for each feature in the functional area, either:

    • none — No permissions except for some basic commands that are always available, such as the ability for an administrator to change their own password.

    • read — View only. get and show commands require read permission, except for some basic commands that are always available, such as get system status.

    • read-update — View and change existing settings. Execute actions such as generating reports.

    • read-write — View and change existing settings. Execute actions such as generating reports. Delete and create new tables(policies, profiles, etc.). config commands require update or write permission.

    • custom — If there are sub-areas within the functional area, select this option to make them available in the list of functional areas so that individually select their permissions. For example, if you enter:

      config system accprofile

      edit profile_A

      config menuitem

      edit policy_grp

      set permission custom

      next

      then policy sub-areas such as recipient policies become available. You can set granular permissions for them, or further customize its sub-areas:

      edit rcpt_policy

      set permission custom

      next

      edit PolicyRecipientIncoming

      set permission read-update

      Within the most granular level of sub-area, the custom option is not available.

    See details about FortiMail administrator permissions.

    none

    content-detail {enable | disable}

    Enable or disable administrators with read privileges or better to be able to view email contents.

    This setting is used only in the archive_grp functional area.

    enable

    privilege-level {high | medium | low}

    Select either:

    • high

    • medium

    • low

    See details about FortiMail administrator permissions.

    Tooltip

    high is not the greatest privilege level, and its administrators cannot view, change, or delete other accounts with the super_admin_prof administrator profile, which has the maximum privilege level.

    medium

    system-diagnostics {enable | disable}

    Enable or disable the permission to run system diagnose commands.

    enable

    system-quarantine-folder {Bulk Content Dlp Virus PersonalOut Content_PasswordProtected ...}

    Select which system quarantine folders can be accessed by administrator accounts associated with this access profile.

    Available options vary by whether you have created custom folders. To display available options, enter:

    set system-quarantine-folder ?

    Related topics

    system admin

    Previous
    Next

    system accprofile

    system accprofile

    Use this command to configure administrator access profiles that, in conjunction with an administrator's level {domain | domain-group | system}, govern whether or not an administrator account has permissions to view, change, or use features in each functional area.

    Note

    The predefined access profile named super_admin_prof is required by the administrator account named admin, and cannot be deleted.

    Syntax

    config system accprofile

    edit <profile_name>

    [set comment "<comment_str>"]

    set privilege-level {high | medium | low}

    set system-diagnostics {enable | disable}

    config menuitem

    edit {archive_grp | cluster_grp | content_grp | dashboard_grp | domain_grp | encryption_grp | fortiview_grp | log_grp | monitor_grp | ms365_grp | others_grp | policy_grp | profile_grp | security_grp | system_grp}

    set permission {custom | none | read | read-update | read-write}

    set content-detail {enable | disable}

    next

    end

    set system-quarantine-folder {Bulk Content Dlp Virus PersonalOut Content_PasswordProtected ...}

    end

    Variable

    Description

    Default

    <profile_name>

    Enter the name of the profile.

    comment "<comment_str>"

    Enter a description or comment.

    {archive_grp | cluster_grp | content_grp | dashboard_grp | domain_grp | encryption_grp | fortiview_grp | log_grp | monitor_grp | ms365_grp | others_grp | policy_grp | profile_grp | security_grp | system_grp}

    Enter the name of the functional area that you want to grant permissions for. Functional areas correspond approximately to GUI navigation menus and REST API or CLI objects.

    When permission {custom | none | read | read-update | read-write} is custom for a functional area, then its associated sub-areas also will become available so that you can customize their permissions. To view all currently available functional areas, enter:

    edit ?

    Tooltip

    Multiple different functional areas sometimes have settings together in one CLI or REST API object (for example, config system global). The greatest permission granted will apply to all settings in the object.

    If you want a more strict access control that prevents that, then configure a network interface with allowaccess {ping http https snmp ssh telnet} that only allows HTTPS (GUI), and require restricted administrators to log in using that interface only. (Do not use each administrator's access {cli gui rest} to disable CLI and REST API access; they can change their own setting if they have read-write or read-update access to the System functional area.)

    permission {custom | none | read | read-update | read-write}

    Select which action to grant permission for each feature in the functional area, either:

    • none — No permissions except for some basic commands that are always available, such as the ability for an administrator to change their own password.

    • read — View only. get and show commands require read permission, except for some basic commands that are always available, such as get system status.

    • read-update — View and change existing settings. Execute actions such as generating reports.

    • read-write — View and change existing settings. Execute actions such as generating reports. Delete and create new tables(policies, profiles, etc.). config commands require update or write permission.

    • custom — If there are sub-areas within the functional area, select this option to make them available in the list of functional areas so that individually select their permissions. For example, if you enter:

      config system accprofile

      edit profile_A

      config menuitem

      edit policy_grp

      set permission custom

      next

      then policy sub-areas such as recipient policies become available. You can set granular permissions for them, or further customize its sub-areas:

      edit rcpt_policy

      set permission custom

      next

      edit PolicyRecipientIncoming

      set permission read-update

      Within the most granular level of sub-area, the custom option is not available.

    See details about FortiMail administrator permissions.

    none

    content-detail {enable | disable}

    Enable or disable administrators with read privileges or better to be able to view email contents.

    This setting is used only in the archive_grp functional area.

    enable

    privilege-level {high | medium | low}

    Select either:

    • high

    • medium

    • low

    See details about FortiMail administrator permissions.

    Tooltip

    high is not the greatest privilege level, and its administrators cannot view, change, or delete other accounts with the super_admin_prof administrator profile, which has the maximum privilege level.

    medium

    system-diagnostics {enable | disable}

    Enable or disable the permission to run system diagnose commands.

    enable

    system-quarantine-folder {Bulk Content Dlp Virus PersonalOut Content_PasswordProtected ...}

    Select which system quarantine folders can be accessed by administrator accounts associated with this access profile.

    Available options vary by whether you have created custom folders. To display available options, enter:

    set system-quarantine-folder ?

    Related topics

    system admin

    Previous
    Next