config system : config system accprofile
 
config system accprofile
Use this command to manage access profiles.
Access profiles provision permissions to roles. The following permissions can be assigned:
Read (view access)
Read-Write (view, change, and execute access)
No access
When an administrator has only read access to a feature, the administrator can access the web UI page for that feature, and can use the get and show CLI command for that feature, but cannot make changes to the configuration.
In larger companies where multiple administrators divide the share of work, access profiles often reflect the specific job that each administrator does (“role”), such as account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).
Table 17 lists the administrative areas that can be provisioned. If you provision read access, the role can view the web UI menu (or issue a CLI get command). If you provision read-write access, the role can save configuration changes (or issue a CLI set command).
For complete access to all commands and abilities, you must log in with the administrator account named admin.,
Table 17: Areas of control in access profiles
Web UI Menus
CLI Commands
System
config system
diagnose hardware
diagnose netlink
diagnose sniffer
diagnose system
execute date
execute ping
execute ping-options
execute traceroute
Networking
config router
Server Load Balance
config load-balance
Link Load Balance
config link-load-balance
Global DNS Server
config global-dns-server
Security
config firewall
Log & Report
config log
config report
execute formatlogdisk
* For each config command, there is an equivalent get/show command. The config commands require write permission. The get/show commands require read permission.
Before you begin:
You must have read-write permission for system settings.
Syntax
config system accprofile
edit <name>
set firewall {none|read|read-write}
set global-dns-server {none|read|read-write}
set link-load-balance {none|read|read-write}
set load-balance {none|read|read-write}
set log {none|read|read-write}
set router {none|read|read-write}
set system {none|read|read-write}
next
end
 
firewall
Set the permission:
none—Do not provision access for the menu.
read—Provision ready-only access.
read-write—Enable the role to make changes to the configuration.
global-dns-server
Set the permission:
none—Do not provision access for the menu.
read—Provision ready-only access.
read-write—Enable the role to make changes to the configuration.
link-load-balance
Set the permission:
none—Do not provision access for the menu.
read—Provision ready-only access.
read-write—Enable the role to make changes to the configuration.
load-balance
Set the permission:
none—Do not provision access for the menu.
read—Provision ready-only access.
read-write—Enable the role to make changes to the configuration.
log
Set the permission:
none—Do not provision access for the menu.
read—Provision ready-only access.
read-write—Enable the role to make changes to the configuration.
router
Set the permission:
none—Do not provision access for the menu.
read—Provision ready-only access.
read-write—Enable the role to make changes to the configuration.
system
Set the permission:
none—Do not provision access for the menu.
read—Provision ready-only access.
read-write—Enable the role to make changes to the configuration.
Example
FortiADC-VM # config system accprofile
FortiADC-VM (accprofile) # edit doc-admin
Add new entry 'doc-admin' for node 772
FortiADC-VM (doc-admin) # end
FortiADC-VM # get system accprofile doc-admin
system : none
router : none
firewall : none
load-balance : none
log : none
link-load-balance : none
global-dns-server : none