Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config system accprofile

Use this command to manage access profiles.

Access profiles provision permissions to roles. The following permissions can be assigned:

  • Read (view access)
  • Read-Write (view, change, and execute access)
  • No access

When an administrator has only read access to a feature, the administrator can access the web UI page for that feature, and can use the get and show CLI command for that feature, but cannot make changes to the configuration.

In larger companies where multiple administrators divide the share of work, access profiles often reflect the specific job that each administrator does (“role”), such as account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).

Table 20 lists the administrative areas that can be provisioned. If you provision read access, the role can view the web UI menu (or issue a CLI get command). If you provision read-write access, the role can save configuration changes (or issue a CLI set command).

For complete access to all commands and abilities, you must log in with the administrator account named admin.

Areas of control in access profiles

Web UI Menus CLI Commands

System

config system

diagnose hardware

diagnose netlink

diagnose sniffer

diagnose system

execute date

execute ping

execute ping-options

execute traceroute

Networking

config router

Server Load Balance

config load-balance

Link Load Balance

config link-load-balance

Global Load Balance

config global-dns-server

Security

config firewall

Log & Report

config log

execute formatlogdisk

* For each config command, there is an equivalent get/show command. The config commands require write permission. The get/show commands require read permission.

Before you begin:

  • You must have read-write permission for system settings.

Syntax

config system accprofile

edit <name>

set firewall {none|read|read-write}

set global-load-balance {none|read|read-write}

set link-load-balance {none|read|read-write}

set load-balance {none|read|read-write}

set log {none|read|read-write}

set router {none|read|read-write}

set security {none|read|read-write}

set system {none|read|read-write}

next

end

 

firewall

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

global-load-balance

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

link-load-balance

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

load-balance

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

log

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

router

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

security

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

system

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

Example

FortiADC-docs # config system accprofile

FortiADC-docs (accprofile) # edit doc-user

Add new entry 'doc-user' for node 772

 

FortiADC-docs (doc-user) # get

system : none

router : none

firewall : none

load-balance : none

log : none

link-load-balance : none

global-load-balance : none

security : none

 

FortiADC-docs (doc-user) # set system read-write

FortiADC-docs (doc-user) # end

 

 

config system accprofile

Use this command to manage access profiles.

Access profiles provision permissions to roles. The following permissions can be assigned:

  • Read (view access)
  • Read-Write (view, change, and execute access)
  • No access

When an administrator has only read access to a feature, the administrator can access the web UI page for that feature, and can use the get and show CLI command for that feature, but cannot make changes to the configuration.

In larger companies where multiple administrators divide the share of work, access profiles often reflect the specific job that each administrator does (“role”), such as account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).

Table 20 lists the administrative areas that can be provisioned. If you provision read access, the role can view the web UI menu (or issue a CLI get command). If you provision read-write access, the role can save configuration changes (or issue a CLI set command).

For complete access to all commands and abilities, you must log in with the administrator account named admin.

Areas of control in access profiles

Web UI Menus CLI Commands

System

config system

diagnose hardware

diagnose netlink

diagnose sniffer

diagnose system

execute date

execute ping

execute ping-options

execute traceroute

Networking

config router

Server Load Balance

config load-balance

Link Load Balance

config link-load-balance

Global Load Balance

config global-dns-server

Security

config firewall

Log & Report

config log

execute formatlogdisk

* For each config command, there is an equivalent get/show command. The config commands require write permission. The get/show commands require read permission.

Before you begin:

  • You must have read-write permission for system settings.

Syntax

config system accprofile

edit <name>

set firewall {none|read|read-write}

set global-load-balance {none|read|read-write}

set link-load-balance {none|read|read-write}

set load-balance {none|read|read-write}

set log {none|read|read-write}

set router {none|read|read-write}

set security {none|read|read-write}

set system {none|read|read-write}

next

end

 

firewall

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

global-load-balance

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

link-load-balance

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

load-balance

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

log

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

router

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

security

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

system

Set the permission:

  • none—Do not provision access for the menu.
  • read—Provision ready-only access.
  • read-write—Enable the role to make changes to the configuration.

Example

FortiADC-docs # config system accprofile

FortiADC-docs (accprofile) # edit doc-user

Add new entry 'doc-user' for node 772

 

FortiADC-docs (doc-user) # get

system : none

router : none

firewall : none

load-balance : none

log : none

link-load-balance : none

global-load-balance : none

security : none

 

FortiADC-docs (doc-user) # set system read-write

FortiADC-docs (doc-user) # end