system : accprofile
 
accprofile
Use this command to add access profiles that control administrator access to FortiGate features. Each FortiGate administrator account must include an access profile. You can create access profiles that deny access, allow read only, or allow both read and write access to FortiGate features.
You cannot delete or modify the super_admin access profile, but you can use the super_admin profile with more than one administrator account.
Syntax
config system accprofile
edit <profile‑name>
set menu-file <filedata>
set scope {global | vdom}
set <access-group> <access-level>
config fwgrp-permission
set address {none | read | read‑write}
set device {none | read | read‑write}
set others {none | read | read‑write}
set packet-capture {read‑only | read‑write | none
set policy {none | read | read‑write}
set profile {none | read | read‑write}
set schedule {none | read | read‑write}
set service {none | read | read‑write}
end
config loggrp-permission
set config {none | read | read‑write}
set data-access {none | read | read‑write}
set threat-weight {none | read | read‑write}
end
config utmgrp-permission
set antivirus {none | read | read‑write}
set application-control {none | read | read‑write}
set data-loss-prevention {none | read | read‑write}
set icap {none | read | read‑write}
set ips {none | read | read‑write}
set netscan {none | read | read‑write}
set spamfilter {none | read | read‑write}
set voip {none | read | read‑write}
set webfilter {none | read | read‑write}
end
Variable
Description
Default
edit <profile‑name>
Enter a new profile name to create a new profile. Enter an existing profile name to edit that profile.
No default.
menu-file <filedata>
Enter the name of the base64-encoded file of data to configure the menu display on the FortiGate unit. For future use.
No default.
scope {global | vdom}
Enter scope administrator access: global or a single VDOM.
vdom
<access-group>
Enter the feature group for which you are configuring access:
No default.
admingrp
administrator accounts and access profiles
 
authgrp
user authentication, including local users, RADIUS servers, LDAP servers, and user groups
 
endpoint-control-grp
endpoint control (Endpoint NAC) configuration
 
fwgrp
firewall configuration
 
loggrp
log and report configuration including log settings, viewing logs and alert email settings
execute batch commands
 
mntgrp
maintenance commands: reset to factory defaults, format log disk, reboot, restore and shutdown
 
netgrp
interfaces, dhcp servers, zones
get system status
get system arp table
config system arp-table
execute dhcp lease-list
execute dhcp lease-clear
No default.
routegrp
router configuration
 
sysgrp
system configuration except accprofile, admin and autoupdate
 
updategrp
FortiGuard antivirus and IPS updates, manual and automatic
 
utmgrp
UTM configuration
 
vpngrp
VPN configuration
 
wanoptgrp
WAN optimization configuration
 
wifi
WiFi configuration
 
<access-level>
Enter the level of administrator access to this feature:
none
custom
configures custom access for fwgrp, loggrp or utmgrp access selections only
none
no access
read
read-only access
read-write
read and write access
config fwgrp-permission fields. Available if fwgrp is set to custom
address {none | read | read‑write}
Enter the level of administrator access to firewall addresses.
none
device {none | read | read‑write}
Enter the level of administrator access to netscan device identification configurations.
 
others {none | read | read‑write}
Enter the level of administrator access to virtual IP configurations.
none
packet-capture {read‑only | read‑write | none
Enter the level of administrator access to packet capture.
read
none
policy {none | read | read‑write}
Enter the level of administrator access to firewall policies.
none
profile {none | read | read‑write}
Enter the level of administrator access to firewall profiles.
none
schedule {none | read | read‑write}
Enter the level of administrator access to firewall schedules.
none
service {none | read | read‑write}
Enter the level of administrator access to firewall service definitions.
none
config loggrp-permission fields. Available if loggrp is set to custom.
config {none | read | read‑write}
Enter the level of administrator access to the logging configuration.
none
data-access {none | read | read‑write}
Enter the level of administrator access to the log data.
none
threat-weight {none | read | read‑write}
Enter the level of administrator access to threat-weight data.
none
config utmgrp-permission fields. Available if utmgrp is set to custom.
antivirus {none | read | read‑write}
Enter the level of administrator access to antivirus configuration data.
none
application-control {none | read | read‑write}
Enter the level of administrator access to application control data.
none
data-loss-prevention {none | read | read‑write}
Enter the level of administrator access to data loss prevention (DLP) data.
none
icap {none | read | read‑write}
Enter the level of administrator access to Internet Content Adaptation Protocol configuration.
none
ips {none | read | read‑write}
Enter the level of administrator access to intrusion prevention (IP) data.
none
netscan {none | read | read‑write}
Enter the level of administrator access to network scans.
none
spamfilter {none | read | read‑write}
Enter the level of administrator access to spamfilter data.
none
voip {none | read | read‑write}
Enter the level of administrator access to VOIP data.
none
webfilter {none | read | read‑write}
Enter the level of administrator access to web filter data.
none