Configuring access profiles
Access profiles provision permissions to roles. The following permissions can be assigned:
• Read (view access)
• Read-Write (view, change, and execute access)
• No access
When an administrator has only read access to a feature, the administrator can access the web UI page for that feature, and can use the get and show CLI command for that feature, but cannot make changes to the configuration.
In larger companies where multiple administrators share the workload, access profiles often reflect the specific job that each administrator does (“role”), such as account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).
Table 73 lists the administrative areas that can be provisioned. If you provision read access, the role can view the web UI menu (or issue a CLI get command). If you provision read-write access, the role can save configuration changes (or issue a CLI set command).
For complete access to all commands and abilities, you must log in with the administrator account named admin.,
Table 73: Areas of control in access profiles
Web UI Menus | CLI Commands |
System | config system ... show full-configuration diagnose ... execute ... |
Global Settings | config ddos global ... |
Protection Profiles | config spp ... |
Monitor | get system status get system performance show system status show system performance show full-configuration |
Log & Report | config log ... config system mailserver |
* For each config command, there is an equivalent get/show command, unless otherwise noted. config commands require write permission. get/show commands require read permission. |
Before you begin:
• You must have Read-Write permission for System settings.
To configure administrator profiles:
1. Go to System > Admin > Access Profile.
2. Click Add to display the configuration editor.
3. Complete the configuration as described in
Table 74.
4. Save the configuration.
Table 74: Admin profile configuration guidelines
Settings | Guidelines |
Profile name | Unique name. No spaces or special characters. |
Access Control | • None—Do not provision access for the menu. • Read Only—Provision ready-only access. • Read-Write—Enable the role to make changes to the configuration. |
| The super_admin_prof access profile, a special access profile assigned to the admin account and required by it, appears in the list of access profiles. It exists by default and cannot be changed or deleted. The profile has permissions similar to the UNIX root account. |
