config : system accprofile
 
system accprofile
Use this command to configure access control profiles for administrators.
 
If you have configured RADIUS queries for authenticating administrators, you can override the locally-selected access profile by using a RADIUS VSA. See “config system admin”.
Access profiles determine administrator accounts’ permissions.
When an administrator has only read access to a feature, the administrator can access the web UI page for that feature, and can use the get and show CLI command for that feature, but cannot make changes to the configuration. There are no Create or Apply buttons, or config CLI commands. Lists display only the View icon instead of icons for Edit, Delete or other modification commands. Write access is required for modification of any kind.
In larger companies where multiple administrators divide the share of work, access profiles often reflect the specific job that each administrator does (“role”), such as user account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).
The prof_admin access profile, a special access profile assigned to the admin administrator account and required by it, does not appear in the list of access profiles. It exists by default and cannot be changed or deleted, and consists of essentially UNIX root-like permissions.
 
Even if you assign the prof_admin access profile to other administrators, they will not have all of the same permissions as the admin account. The admin account has some special permissions, such as the ability to reset administrator passwords, that are inherent in that account only. Other accounts should not be considered a complete substitute.
If you create more administrator accounts, whether to harden security or simply to prevent accidental modification, create other access profiles with the minimal degrees and areas of access that each role requires. Then assign each administrator account the appropriate role-based access profile.
For example, for a person whose only role is to audit the log messages, you might make an access profile named auditor that only has Read permissions to the Log & Report area.
For information on how each access control area correlates to which CLI commands that administrators can access, see “Permissions”
To use this command, your administrator account’s access control profile must have both r and w permissions to items in the admingrp category.
Syntax
config system accprofile
edit <access-profile_name>
set admingrp {none | r | rw | w}
set authusergrp {none | r | rw | w}
set learngrp {none | r | rw | w}
set loggrp {none | r | rw | w}
set mntgrp {none | r | rw | w}
set netgrp {none | r | rw | w}
set sysgrp {none | r | rw | w}
set traroutegrp {none | r | rw | w}
set wadgrp {none | r | rw | w}
set webgrp {none | r | rw | w}
set wvsgrp {none | r | rw | w}
next
end
Variable
Description
Default
<access-profile_name>
Type the name of the access profile. The maximum length is 35 characters.
To display the list of existing profiles, type:
edit ?
No default.
admingrp {none | r | rw | w}
Type the degree of access that administrator accounts using this access profile will have to the system administrator configuration.
Available only when administrative domains (ADOMs) are disabled. See adom-admin {enable | disable} in “config system global”.
none
authusergrp {none | r | rw | w}
Type the degree of access that administrator accounts using this access profile will have to the HTTP authentication user configuration.
none
learngrp {none | r | rw | w}
Type the degree of access that administrator accounts using this access profile will have to the auto-learning profiles and their resulting auto-learning reports.
none
loggrp {none | r | rw | w}
Type the degree of access that administrator accounts using this access profile will have to the logging and alert email configuration.
none
mntgrp {none | r | rw | w}
Type the degree of access that administrator accounts using this access profile will have to maintenance commands.
Unlike the other rows, whose scope is an area of the configuration, the maintenance access control area does not affect the configuration. Instead, it indicates whether the administrator can perform special system operations such as changing the firmware.
none
netgrp {none | r | rw | w}
Type the degree of access that administrator accounts using this access profile will have to the network interface and routing configuration.
none
sysgrp {none | r | rw | w}
Type the degree of access that administrator accounts using this access profile will have to the basic system configuration (except for areas included in other access control areas such as admingrp).
none
traroutegrp {none | r | rw | w}
Type the degree of access that administrator accounts using this access profile will have to the server policy (formerly called traffic routing) configuration.
none
wadgrp {none | r | rw | w}
Type the degree of access that administrator accounts using this access profile will have to the web anti-defacement configuration.
none
webgrp {none | r | rw | w}
Type the degree of access that administrator accounts using this access profile will have to the web protection profile configuration.
none
wvsgrp {none | r | rw | w}
Type the degree of access that administrator accounts using this access profile will have to the web vulnerability scanner.
none
Example
This example configures an administrator access profile named full_access, which permits both read and write access to all special operations and parts of the configuration.
 
Even though this access profile configures full access, administrator accounts using this access profile will not be fully equivalent to the admin administrator. The admin administrator has some special privileges that are inherent in that account and cannot be granted through an access profile, such as the ability to reset other administrators’ passwords without knowing their current password. Other accounts should therefore not be considered a substitute, even if they are granted full access.
config system accprofile
edit "full_access"
set admingrp rw
set authusergrp rw
set learngrp rw
set loggrp rw
set mntgrp rw
set netgrp rw
set sysgrp rw
set traroutegrp rw
set wadgrp rw
set webgrp rw
set wvsgrp rw
next
end
Related topics
config system admin
config user radius-user
Permissions