Fortinet black logo

Handbook

Configure access profiles

Configure access profiles

Access profiles provision permissions to roles. The following permissions can be assigned:

  • Read (view access)
  • Read-Write (view, change, and execute access)
  • No access

When an administrator has only read access to a feature, the administrator can access the web UI page for that feature, and can use the get and show CLI command for that feature, but cannot make changes to the configuration.

In larger companies where multiple administrators divide the share of work, access profiles often reflect the specific job that each administrator does (“role”), such as account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).

Areas of control in access profiles lists the administrative areas that can be provisioned. If you provision read access, the role can view the web UI menu (or issue a CLI get command). If you provision read-write access, the role can save configuration changes (or issue a CLI set command).

For complete access to all commands and abilities, you must log in with the administrator account named admin.

Areas of control in access profiles

Web UI Menus CLI Commands

System

config system

diagnose hardware

diagnose sniffer

diagnose system

execute date

execute ping

execute ping-options

execute traceroute

Router

config router

Server Load Balance

config load-balance

Link Load Balance

config link-load-balance

Global Load Balance

config global-dns-server

config global-load-balance

Security

config firewall

config security waf

Log & Report

config log

config report

execute rebuild-db

* For each config command, there is an equivalent get/show command. The config commands require write permission. The get/show commands require read permission.

Before you begin:

  • You must have Read-Write permission for System settings.
To configure administrator profiles:
  1. Click System > Administrator.
  2. Click the Access Profile tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Configure access profiles.
  5. Click Save.

Access profile configuration

Settings Guidelines

Name

Specify a name for the access profile configuration. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

System

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

Networking

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

User

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

Server Load Balance

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

Link Load Balance

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

Global Load Balance

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

Security

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

Log & Report

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

Shared Resource

For each category, set the permission:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

The super_admin_prof access profile, a special access profile assigned to the admin account and required by it, appears in the list of access profiles. It exists by default and cannot be changed or deleted. The profile has permissions similar to the UNIX root account.

Configure access profiles

Access profiles provision permissions to roles. The following permissions can be assigned:

  • Read (view access)
  • Read-Write (view, change, and execute access)
  • No access

When an administrator has only read access to a feature, the administrator can access the web UI page for that feature, and can use the get and show CLI command for that feature, but cannot make changes to the configuration.

In larger companies where multiple administrators divide the share of work, access profiles often reflect the specific job that each administrator does (“role”), such as account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).

Areas of control in access profiles lists the administrative areas that can be provisioned. If you provision read access, the role can view the web UI menu (or issue a CLI get command). If you provision read-write access, the role can save configuration changes (or issue a CLI set command).

For complete access to all commands and abilities, you must log in with the administrator account named admin.

Areas of control in access profiles

Web UI Menus CLI Commands

System

config system

diagnose hardware

diagnose sniffer

diagnose system

execute date

execute ping

execute ping-options

execute traceroute

Router

config router

Server Load Balance

config load-balance

Link Load Balance

config link-load-balance

Global Load Balance

config global-dns-server

config global-load-balance

Security

config firewall

config security waf

Log & Report

config log

config report

execute rebuild-db

* For each config command, there is an equivalent get/show command. The config commands require write permission. The get/show commands require read permission.

Before you begin:

  • You must have Read-Write permission for System settings.
To configure administrator profiles:
  1. Click System > Administrator.
  2. Click the Access Profile tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Configure access profiles.
  5. Click Save.

Access profile configuration

Settings Guidelines

Name

Specify a name for the access profile configuration. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

System

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

Networking

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

User

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

Server Load Balance

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

Link Load Balance

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

Global Load Balance

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

Security

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

Log & Report

Select one of the following:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

Shared Resource

For each category, set the permission:

  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

The super_admin_prof access profile, a special access profile assigned to the admin account and required by it, appears in the list of access profiles. It exists by default and cannot be changed or deleted. The profile has permissions similar to the UNIX root account.