When using multiple VDOMs in the FortiGate configuration, there are two options to create an admin user that has the visibility of all VDOMs:
- A global admin account with read write (full) privileges . This is the default admin account profile (super_admin)
- A read only admin account, with a visibility on all VDOMs.
This article describes how to create the read only admin user with access to all VDOMs.
1) Create an admin profile with read only privileges from the CLI:
# config global
# config system accprofile
set admingrp read
set authgrp read
set endpoint-control-grp read
set fwgrp read
set loggrp read
set mntgrp read
set netgrp read
set routegrp read
set sysgrp read
set updategrp read
set utmgrp read
set vpngrp read
set wanoptgrp read
set wifi read
set scope global
By default, this admin profile option is configured with 'set scope vdom', which restricts the admin profiles VDOM visibility.
When this admin is created the interesting option is the 'set scope global' setting.
It has to be modified manually via CLI only in order to prevent accidental privileges for admin users.
This is not possible to see the 'Global' VDOM from GUI or CLI after login, even if the intention was to create an all access profile.
A global configuration change cannot be done unless either using a super_admin profile or changing the account profiles scope to 'global' from the CLI.
2) After the admin profile is created with the correct scope, create an admin user account and assign it the above created admin profile from the CLI:
# config global
# config system admin
set accprofile "admin_readonly"