If you have configured RADIUS queries for authenticating administrators, you can override the locally-selected access profile by using a RADIUS VSA. See “config system admin”. |
Even if you assign the prof_admin access profile to other administrators, they will not have all of the same permissions as the admin account. The admin account has some special permissions, such as the ability to reset administrator passwords, that are inherent in that account only. Other accounts should not be considered a complete substitute. |
Variable | Description | Default |
<access-profile_name> | Type the name of the access profile. The maximum length is 35 characters. To display the list of existing profiles, type: edit ? | No default. |
admingrp {none | r | rw | w} | Type the degree of access that administrator accounts using this access profile will have to the system administrator configuration. Available only when administrative domains (ADOMs) are disabled. See adom-admin {enable | disable} in “config system global”. | none |
authusergrp {none | r | rw | w} | Type the degree of access that administrator accounts using this access profile will have to the HTTP authentication user configuration. | none |
learngrp {none | r | rw | w} | Type the degree of access that administrator accounts using this access profile will have to the auto-learning profiles and their resulting auto-learning reports. | none |
loggrp {none | r | rw | w} | Type the degree of access that administrator accounts using this access profile will have to the logging and alert email configuration. | none |
mntgrp {none | r | rw | w} | Type the degree of access that administrator accounts using this access profile will have to maintenance commands. Unlike the other rows, whose scope is an area of the configuration, the maintenance access control area does not affect the configuration. Instead, it indicates whether the administrator can perform special system operations such as changing the firmware. | none |
netgrp {none | r | rw | w} | Type the degree of access that administrator accounts using this access profile will have to the network interface and routing configuration. | none |
sysgrp {none | r | rw | w} | Type the degree of access that administrator accounts using this access profile will have to the basic system configuration (except for areas included in other access control areas such as admingrp). | none |
traroutegrp {none | r | rw | w} | Type the degree of access that administrator accounts using this access profile will have to the server policy (formerly called traffic routing) configuration. | none |
wadgrp {none | r | rw | w} | Type the degree of access that administrator accounts using this access profile will have to the web anti-defacement configuration. | none |
webgrp {none | r | rw | w} | Type the degree of access that administrator accounts using this access profile will have to the web protection profile configuration. | none |
wvsgrp {none | r | rw | w} | Type the degree of access that administrator accounts using this access profile will have to the web vulnerability scanner. | none |
Even though this access profile configures full access, administrator accounts using this access profile will not be fully equivalent to the admin administrator. The admin administrator has some special privileges that are inherent in that account and cannot be granted through an access profile, such as the ability to reset other administrators’ passwords without knowing their current password. Other accounts should therefore not be considered a substitute, even if they are granted full access. |