Configuring system settings : Configuring administrator accounts and access profiles : About administrator account permissions and domains
About administrator account permissions and domains
Depending on the account that you use to log in to the FortiMail unit, you may not have complete access to all CLI commands or areas of the web UI.
Access profiles and domain assignments together control which commands and areas an administrator account can access. Permissions result from an interaction of the two.
The domain to which an administrator is assigned is one of:
System
The administrator can access areas regardless of whether an item pertains to the FortiMail unit itself or to a protected domain. Every administrator’s permissions are restricted only by their access profile.
a protected domain
The administrator can only access areas that are specifically assigned to that protected domain. With a few exceptions, the administrator cannot access system-wide settings, files or statistics, nor most settings that can affect other protected domains, regardless of whether access to those items would otherwise be allowed by the administrator’s access profile. The administrator cannot access the CLI, nor the basic mode of the web UI. (For more information on the display modes of the GUI, see “Basic mode versus advanced mode”.)
 
There are exceptions. Domain administrators can configure IP-based policies, the global block list, the global safe list, the blocklist action, and the global Bayesian database. If you do not want to allow this, do not provide Read-Write permission to those categories in domain administrators’ access profiles.
Table 16: Areas of the GUI that domain administrators cannot access
Maintenance
Monitor except for the Personal quarantine tab
System except for the Administrator tab
Mail Settings except for the domain, its subdomains, and associated domains
User > User > PKI User
Policy > Access Control > Receive
Policy > Access Control > Delivery
Profile > Authentication
AntiSpam except for AntiSpam > Bayesian > User and AntiSpam > Block/Safe List
Email Archiving
Log and Report
Access profiles assign either read, read/write, or no access to each area of the FortiMail software. To view configurations, you must have read access. To make changes, you must have write access. For more information on configuring an administrator access profile, see “Configuring access profiles”.
Table 17: Areas of control in access profiles
Access control area name
Grants access to
(For each config command, there is an equivalent get/show command, unless otherwise noted.
config access requires write permission.
get/show access requires read permission.)
In the web UI
In the CLI
Block/Safe List
block-safe-list
Monitor > Endpoint Reputation > Auto Blocklist
Maintenance > AntiSpam > Block/Safe List Maintenance
AntiSpam > Block/Safe List ...
N/A
Quarantine
quarantine
Monitor > Quarantine ...
AntiSpam > Quarantine > Quarantine Report
AntiSpam > Quarantine > System Quarantine Setting
AntiSpam > Quarantine > Control Account
config antispam quarantine-report
config mailsetting systemquarantine
Policy
policy
Monitor > Mail Queue ...
Monitor > Greylist ...
Monitor > Sender Reputation > Display
Mail Settings > Domains > Domains
Mail Settings > Proxies > Proxies
User > User ...
Policy ...
Profile ...
AntiSpam > Greylist ...
AntiSpam > Bounce Verification > Settings
AntiSpam > Endpoint Reputation ...
AntiSpam > Bayesian ...
config antispam greylist exempt
config antispam bounce-verification key
config antispam settings
config domain
config mailsetting proxy-smtp
config policy ...
config profile ...
config user ...
Archive
archive
Email Archiving
Monitor > Archive
config archive
Greylist
greylist
Monitor > Greylist ...
AntiSpam > Greylist ...
config antispam greylist...
get antispam greylist ...
Others
others
Monitor > System Status ...
Monitor > Archive > Email Archives
Monitor > Log ...
Monitor > Report ...
Maintenance ... except the Block/Safe List Maintenance tab
System ...
Mail Settings > Settings ...
Mail Settings > Address Book > Address Book
User > User Alias > User Alias
User > Address Map > Address Map
Email Archiving ...
Log and Report ...
config archive ...
config log ...
config mailsetting relayserver
config mailsetting storage
config report
config system ...
config user alias
config user map
diagnose ...
execute ...
get system status