Permissions

Table 5: Areas of control in access profiles
Access profile setting	Grants access to*
Admin Users	System > Admin ... except Settings	Web UI
admingrp	config system admin config system accprofile	CLI
Auth Users	User ...	Web UI
authusergrp	config user ...	CLI
Autolearn Configuration	Auto Learn > Auto Learn Profile > Auto Learn Profile	Web UI
learngrp	config server-policy custom-application ... config waf web-protection-profile autolearning-profile Note: Because generating an auto-learning profile also generates its required components, this area also confers Write permission to those components in the Web Protection Configuration/wafgrp area.	CLI
Log & Report	Log & Report ...	Web UI
loggrp	config log ... execute formatlogdisk	CLI
Maintenance	System > Maintenance except System Time tab	Web UI
mntgrp	diagnose system ... execute backup ... execute factoryreset execute reboot execute restore ... execute shutdown diagnose system flash ...	CLI
Network Configuration	System > Network ...	Web UI
netgrp	config system interface config system dns config system v-zone diagnose network ... except sniffer ...	CLI
Router Configuration	Router ...	Web UI
routegrp	config router ...	CLI
System Configuration	System ... except Network, Admin, and Maintenance tabs	Web UI
sysgrp	config system except accprofile, admin, dns, interface, and v-zone diagnose hardware ... diagnose network sniffer ... diagnose system ... except flash ... execute date ... execute ha ... execute ping ... execute ping-options ... execute traceroute ... execute time ...	CLI
Server Policy Configuration	Policy > Server Policy ... Server Objects ... Application Delivery ...	Web UI
traroutegrp	config server-policy ... except custom-application ... config waf file-compress-rule config waf file-uncompress-rule config waf http-authen ... config waf url-rewrite ... diagnose policy ...	CLI
Web Anti-Defacement Management	Web Anti-Defacement ...	Web UI
wadgrp	config wad ...	CLI
Web Protection Configuration	Policy > Web Protection ... Web Protection ... DoS Protection ...	Web UI
wafgrp	config system dos-prevention config waf except: • config waf file-compress-rule • config waf file-uncompress-rule • config waf http-authen ... • config waf url-rewrite ... • config waf web-custom-robot • config waf web-protection-profile autolearning-profile • config waf web-robot • config waf x-forwarded-for	CLI
Web Vulnerability Scan Configuration	Web Vulnerability Scan ...	Web UI
wvsgrp	config wvs ...	CLI
* For each config command, there is an equivalent get/show command, unless otherwise noted. config access requires write permission. get/show access requires read permission.

Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. This administrator account always has full permission to view and change all FortiWeb configuration options, including viewing and changing all other administrator accounts and ADOMs. Its name and permissions cannot be changed. It is the only administrator account that can reset another administrator’s password without being required to enter that administrator’s existing password.