Technical Tip: Read-only administrators and configuration backup/restore in firmware version 5.4
Description
This article describes that in FortiGate, read-only administrators cannot create configuration backups or restore configurations.
Scope
FortiGate.
Solution
Read-only administrators can see only limited information if the 'System' component under the read-only admin profile is given read/write access.
Note:
No other custom-configured admin profile with all read/write access except the default super_admin will be able to fetch all FortiOS components.
Example:
- Config file would not contain Administrators/admin profiles with higher authority than the current admin user which is used to fetch config.
- DHCP configuration, wireless controller config and many other configs based on authority given and profile(custom read/write, read-only, default super_admin) being used.
These changes to FortiOS were implemented so that read-only administrators could not gain access to information that only full administrators should or be able to modify and restore configurations to gain elevated access privileges. Lower-level administrator profiles cannot backup or restore the FortiOS configuration. As a default super_admin profile has access to all FortiOS components and certain tasks like backing up and restoring config files.
Related document: