system accprofile
Use this command to add access profiles that control administrator access to FortiGate features. Each FortiGate administrator account must include an access profile. You can create access profiles that deny access, allow read only, or allow both read and write access to FortiGate features. You cannot delete or modify the super_admin
access profile, but you can use it with more than one administrator account.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
set secfabgrp {none | read | read-write} set ftviewgrp {none | read | read-write} |
New read or read-write privileges for Security Fabric and FortiView. |
set netgrp {custom | ...} config netgrp-permission set cfg {none | read | read-write} set packet-capture {none | read | read-write} set route-cfg {none | read | read-write}
set sysgrp {custom | ...} config sysgrp-permission set admin {none | read | read-write} set upd {none | read | read-write} set cfg {none | read | read-write} set mnt {none | read | read-write}
config utmgrp-permission set endpoint-control {none | read | read-write} |
Assign read or read-write privileges for network and system permissions and for FortiClient Profiles. Note that the Similarly, |
set mntgrp {none | read | read-write} set admingrp {none | read | read-write} set updategrp {none | read | read-write} set routegrp {none | read | read-write} set endpoint-control-grp {none | read | read-write} |
These options have been removed, as part of streamlining/rearranging more granular profiles under different profile groups. |
config system accprofile edit {name} # Configure access profiles for system administrators. set name {string} Profile name. size[35] set scope {vdom | global} Scope of admin access: global or specific VDOM(s). vdom VDOM access. global Global access. set comments {string} Comment. size[255] set secfabgrp {none | read | read-write} Security Fabric. none No access. read Read access. read-write Read/write access. set ftviewgrp {none | read | read-write} FortiView. none No access. read Read access. read-write Read/write access. set authgrp {none | read | read-write} Administrator access to Users and Devices. none No access. read Read access. read-write Read/write access. set sysgrp {none | read | read-write | custom} System Configuration. none No access. read Read access. read-write Read/write access. custom Customized access. set netgrp {none | read | read-write | custom} Network Configuration. none No access. read Read access. read-write Read/write access. custom Customized access. set loggrp {none | read | read-write | custom} Administrator access to Logging and Reporting including viewing log messages. none No access. read Read access. read-write Read/write access. custom Customized access. set fwgrp {none | read | read-write | custom} Administrator access to the Firewall configuration. none No access. read Read access. read-write Read/write access. custom Customized access. set vpngrp {none | read | read-write} Administrator access to IPsec, SSL, PPTP, and L2TP VPN. none No access. read Read access. read-write Read/write access. set utmgrp {none | read | read-write | custom} Administrator access to Security Profiles. none No access. read Read access. read-write Read/write access. custom Customized access. set wanoptgrp {none | read | read-write} Administrator access to WAN Opt & Cache. none No access. read Read access. read-write Read/write access. set wifi {none | read | read-write} Administrator access to the WiFi controller and Switch controller. none No access. read Read access. read-write Read/write access. config netgrp-permission set cfg {none | read | read-write} Network Configuration. none No access. read Read access. read-write Read/write access. set packet-capture {none | read | read-write} Packet Capture Configuration. none No access. read Read access. read-write Read/write access. set route-cfg {none | read | read-write} Router Configuration. none No access. read Read access. read-write Read/write access. config sysgrp-permission set admin {none | read | read-write} Administrator Users. none No access. read Read access. read-write Read/write access. set upd {none | read | read-write} FortiGuard Updates. none No access. read Read access. read-write Read/write access. set cfg {none | read | read-write} System Configuration. none No access. read Read access. read-write Read/write access. set mnt {none | read | read-write} Maintenance. none No access. read Read access. read-write Read/write access. config fwgrp-permission set policy {none | read | read-write} Policy Configuration. none No access. read Read access. read-write Read/write access. set address {none | read | read-write} Address Configuration. none No access. read Read access. read-write Read/write access. set service {none | read | read-write} Service Configuration. none No access. read Read access. read-write Read/write access. set schedule {none | read | read-write} Schedule Configuration. none No access. read Read access. read-write Read/write access. config loggrp-permission set config {none | read | read-write} Log & Report configuration. none No access. read Read access. read-write Read/write access. set data-access {none | read | read-write} Log & Report Data Access. none No access. read Read access. read-write Read/write access. set report-access {none | read | read-write} Log & Report Report Access. none No access. read Read access. read-write Read/write access. set threat-weight {none | read | read-write} Log & Report Threat Weight. none No access. read Read access. read-write Read/write access. config utmgrp-permission set antivirus {none | read | read-write} Antivirus profiles and settings. none No access. read Read access. read-write Read/write access. set ips {none | read | read-write} IPS profiles and settings. none No access. read Read access. read-write Read/write access. set webfilter {none | read | read-write} Web Filter profiles and settings. none No access. read Read access. read-write Read/write access. set spamfilter {none | read | read-write} AntiSpam filter and settings. none No access. read Read access. read-write Read/write access. set data-loss-prevention {none | read | read-write} DLP profiles and settings. none No access. read Read access. read-write Read/write access. set application-control {none | read | read-write} Application Control profiles and settings. none No access. read Read access. read-write Read/write access. set icap {none | read | read-write} ICAP profiles and settings. none No access. read Read access. read-write Read/write access. set voip {none | read | read-write} VoIP profiles and settings. none No access. read Read access. read-write Read/write access. set waf {none | read | read-write} Web Application Firewall profiles and settings. none No access. read Read access. read-write Read/write access. set dnsfilter {none | read | read-write} DNS Filter profiles and settings. none No access. read Read access. read-write Read/write access. set endpoint-control {none | read | read-write} FortiClient Profiles. none No access. read Read access. read-write Read/write access. set admintimeout-override {enable | disable} Enable/disable overriding the global administrator idle timeout. set admintimeout {integer} Administrator timeout for this access profile (0 - 480 min, default = 10, 0 means never timeout). range[1-480] next end
Additional information
The following section is for those options that require additional explanation.
Access Level
The options that are used to configured configure what level of administrative access the members of the profile group have can be set to the following levels:
none | No access is granted |
read | Users can read the configuration but make no changes |
read-write | Users can view and alter configurations |
custom |
This setting makes available an additional "permission" setting for the category of access with its own more granular settings. Associated with:
|
admingrp
Configure this group to apply permission settings that apply to administrator accounts and access profiles.
authgrp
Configure this group to apply permission settings that apply to user authentication, including local users, RADIUS servers, LDAP servers, and user groups.
endpointcontrol-grp
Configure this group to apply permission settings that apply to endpoint control (Endpoint NAC) configuration.
fwgrp
Configure this group to apply permission settings that apply to firewall configuration settings.
config fwgrp-permission
This configuration option is only available if fwgrp
is set to custom
, giving the administrator access to firewall configuration. By using the custome setting, it allows for a more granular configuration of administrative access. All of these settings can be configured to { none | read | read-write }
.
Setting | Level of administative access to: |
---|---|
address
|
firewall addresses |
policy
|
firewall policies |
schedule
|
firewall schedules |
service
|
firewall service definitions |
loggrp
Configure this group to apply permission settings that apply to log and report configurations, including:
- log settings
- viewing logs
- alert email settings
execute batch
commands
config loggrp-permission
This configuration option is only available if loggrp
is set to custom
, giving the administrator access to firewall configuration. By using the custome setting, it allows for a more granular configuration of administrative access. All of these settings can be configured to { none | read | read-write }
.
Setting | Level of administative access to: |
---|---|
config
|
logging configuration |
data-access
|
log data |
threat-weight
|
threat-weight data |
mntgrp {none | read | read-write}
Configure this group to apply permission settings that apply to maintenance of the FortiGate. The scope of this option is limited to the following areas:
- Management of configuration files
- Uploading of firmware
- Connectivity to central management such as a FortiManager
- Connectivity to an attached extender device
- Connectivity to attached USB devices
netgrp
Configure this group to apply permission settings that apply to networking, including:
- interfaces
- dhcp servers
- zones
get system status
get system arp table
config system arp-table
execute dhcp lease-list
execute dhcp lease-clear
routegrp
Configure this group to apply permission settings that apply to router configuration.
sysgrp
Configure this group to apply permission settings that apply to system configuration.
Exceptions:
system accprofile
system admin
system autoupdate
updategrp
Configure this group to apply permission settings that apply to FortiGuard antivirus and IPS updates (manual and automatic).
utmgrp
Configure this group to apply permission settings that apply to UTM configuration.
config utmgrp-permission
This configuration option is only available if utmgrp
is set to custom
, giving the administrator access to firewall configuration. By using the custome setting, it allows for a more granular configuration of administrative access. All of these settings can be configured to { none | read | read-write }
.
Setting | Level of administative access to: |
---|---|
antivirus
|
antivirus configuration data |
application-control
|
application control data |
data-loss-prevention
|
data loss prevention (DLP) data |
dnsfilter
|
DNS filter profiles and settings |
icap
|
Internet Content Adaptation Protocol configuration |
ips
|
intrusion prevention (IP) data |
netscan
|
network scans |
spamfilter
|
spamfilter data |
voip
|
VOIP data |
waf
|
Web Application Firewall profiles and settings |
webfilter
|
web filter data |
vpngrp
Configure this group to apply permission settings that apply to VPN configuration
wanoptgrp
Configure this group to apply permission settings that apply to WAN optimization configuration
wifi
Configure this group to apply permission settings that apply to WiFi configuration