Fortinet black logo

CLI Reference

system accprofile

system accprofile

Use this command to configure access control profiles for administrators.

If you have configured RADIUS queries for authenticating administrators, you can override the locally-selected access profile by using a RADIUS VSA. For details, see system admin.

Access profiles determine administrator accounts’ permissions.

When an administrator has only read access to a feature, the administrator can access the web UI page for that feature, and can use the get and show CLI command for that feature, but cannot make changes to the configuration. There are no Create or Apply buttons, or config CLI commands. Lists display only the View icon instead of icons for Edit, Delete or other modification commands. Write access is required for modification of any kind.

In larger companies where multiple administrators divide the share of work, access profiles often reflect the specific job that each administrator does (“role”), such as user account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).

The prof_admin access profile, a special access profile assigned to the admin administrator account and required by it, does not appear in the list of access profiles. It exists by default and cannot be changed or deleted, and consists of essentially UNIX root-like permissions.

If you create more administrator accounts, whether to harden security or simply to prevent accidental modification, create other access profiles with the minimal degrees and areas of access that each role requires. Then assign each administrator account the appropriate role-based access profile.

For example, for a person whose only role is to audit the log messages, you might make an access profile named auditor that only has Read permissions to the Log & Report area.

For information on how each access control area correlates to which CLI commands that administrators can access, see Permissions

To use this command, your administrator account’s access control profile must have both r and w permissions to items in the admingrp category.

Syntax

config system accprofile

edit "<access-profile_name>"

set admingrp {none | r | rw | w}

set authusergrp {none | r | rw | w}

set loggrp {none | r | rw | w}

set mlgrp {none | r | rw | w}

set mntgrp {none | r | rw | w}

set netgrp {none | r | rw | w}

set sysgrp {none | r | rw | w}

set traroutegrp {none | r | rw | w}

set syncookie {enable | disable}

set webgrp {none | r | rw | w}

set wvsgrp {none | r | rw | w}

next

end

Variable Description Default

"<access-profile_name>"

Enter the name of the access profile. The maximum length is 63 characters.

To display the list of existing profiles, enter:

edit ?

No default.

admingrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the system administrator configuration.

Available only when administrative domains (ADOMs) are disabled. For details, see .

none

authusergrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the HTTP authentication user configuration. none

loggrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the logging and alert email configuration. none
mlgrp {none | r | rw | w} Enter the degree of access that administrator accounts using this access profile will have to the machine learning configuration. none

mntgrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to maintenance commands.

Unlike the other rows, whose scope is an area of the configuration, the maintenance access control area does not affect the configuration. Instead, it indicates whether the administrator can perform special system operations such as changing the firmware.

none

netgrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the network interface and routing configuration. none

sysgrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the basic system configuration (except for areas included in other access control areas such as admingrp). none

traroutegrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the server policy (formerly called traffic routing) configuration. none

wadgrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the web anti-defacement configuration. none

webgrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the web protection profile configuration. none

wvsgrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the web vulnerability scanner. none

Example

This example configures an administrator access profile named full_access, which permits both read and write access to all special operations and parts of the configuration.

Even though this access profile configures full access, administrator accounts using this access profile will not be fully equivalent to the admin administrator. The admin administrator has some special privileges that are inherent in that account and cannot be granted through an access profile, such as the ability to reset other administrators’ passwords without knowing their current password. Other accounts should therefore not be considered a substitute, even if they are granted full access.

config system accprofile

edit "full_access"

set admingrp rw

set authusergrp rw

set loggrp rw

set mlgrp rw

set mntgrp rw

set netgrp rw

set sysgrp rw

set traroutegrp rw

set wadgrp rw

set webgrp rw

set wvsgrp rw

next

end

Related topics

system accprofile

system accprofile

Use this command to configure access control profiles for administrators.

If you have configured RADIUS queries for authenticating administrators, you can override the locally-selected access profile by using a RADIUS VSA. For details, see system admin.

Access profiles determine administrator accounts’ permissions.

When an administrator has only read access to a feature, the administrator can access the web UI page for that feature, and can use the get and show CLI command for that feature, but cannot make changes to the configuration. There are no Create or Apply buttons, or config CLI commands. Lists display only the View icon instead of icons for Edit, Delete or other modification commands. Write access is required for modification of any kind.

In larger companies where multiple administrators divide the share of work, access profiles often reflect the specific job that each administrator does (“role”), such as user account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).

The prof_admin access profile, a special access profile assigned to the admin administrator account and required by it, does not appear in the list of access profiles. It exists by default and cannot be changed or deleted, and consists of essentially UNIX root-like permissions.

If you create more administrator accounts, whether to harden security or simply to prevent accidental modification, create other access profiles with the minimal degrees and areas of access that each role requires. Then assign each administrator account the appropriate role-based access profile.

For example, for a person whose only role is to audit the log messages, you might make an access profile named auditor that only has Read permissions to the Log & Report area.

For information on how each access control area correlates to which CLI commands that administrators can access, see Permissions

To use this command, your administrator account’s access control profile must have both r and w permissions to items in the admingrp category.

Syntax

config system accprofile

edit "<access-profile_name>"

set admingrp {none | r | rw | w}

set authusergrp {none | r | rw | w}

set loggrp {none | r | rw | w}

set mlgrp {none | r | rw | w}

set mntgrp {none | r | rw | w}

set netgrp {none | r | rw | w}

set sysgrp {none | r | rw | w}

set traroutegrp {none | r | rw | w}

set syncookie {enable | disable}

set webgrp {none | r | rw | w}

set wvsgrp {none | r | rw | w}

next

end

Variable Description Default

"<access-profile_name>"

Enter the name of the access profile. The maximum length is 63 characters.

To display the list of existing profiles, enter:

edit ?

No default.

admingrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the system administrator configuration.

Available only when administrative domains (ADOMs) are disabled. For details, see .

none

authusergrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the HTTP authentication user configuration. none

loggrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the logging and alert email configuration. none
mlgrp {none | r | rw | w} Enter the degree of access that administrator accounts using this access profile will have to the machine learning configuration. none

mntgrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to maintenance commands.

Unlike the other rows, whose scope is an area of the configuration, the maintenance access control area does not affect the configuration. Instead, it indicates whether the administrator can perform special system operations such as changing the firmware.

none

netgrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the network interface and routing configuration. none

sysgrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the basic system configuration (except for areas included in other access control areas such as admingrp). none

traroutegrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the server policy (formerly called traffic routing) configuration. none

wadgrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the web anti-defacement configuration. none

webgrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the web protection profile configuration. none

wvsgrp {none | r | rw | w}

Enter the degree of access that administrator accounts using this access profile will have to the web vulnerability scanner. none

Example

This example configures an administrator access profile named full_access, which permits both read and write access to all special operations and parts of the configuration.

Even though this access profile configures full access, administrator accounts using this access profile will not be fully equivalent to the admin administrator. The admin administrator has some special privileges that are inherent in that account and cannot be granted through an access profile, such as the ability to reset other administrators’ passwords without knowing their current password. Other accounts should therefore not be considered a substitute, even if they are granted full access.

config system accprofile

edit "full_access"

set admingrp rw

set authusergrp rw

set loggrp rw

set mlgrp rw

set mntgrp rw

set netgrp rw

set sysgrp rw

set traroutegrp rw

set wadgrp rw

set webgrp rw

set wvsgrp rw

next

end

Related topics