Read only account to get device configuration

Forum|Forum|5 years ago
December 1, 2020
2 replies
7072 views

Hi All,

is it possible to create a read only account that can run below command

config global config system console set out standard end show null

Alexis_Esp

New Member

Hello,

I'm not sure I understand the question well, but I don't think you can filter permissions that much. Take a look at the access profiles: https://docs.fortinet.com/document/fortigate/6.2.2/cli-reference/2620/system-accprofile

and administration profiles: https://docs.fortinet.com/document/fortigate/latest/administration-guide/294491/administrator-profiles

You can filter much of the information to the administrator of your choice, but not as much.

nbgiridarAuthor

New Member

Thank you Alexis,

i need an account that can run the above command but with out any permission to change any settings

Alexis_Esp

New Member

Hi,

if you only need the user to be unable to modify, a read only user is sufficient. If, in addition, you only want me to see certain parts of the configuration, you will need test with the profiles.

Br

jruan

Explorer III

Update if anybody got to this thread. A possible answer to this may be utilising TACACS+ to authorise commands. It might be a killer depending on your use case, but still.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-TACACS-authentication-and/ta-p/192810

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded