I'm trying to set up a read only user that would be used to back up configurations and apparently setting read only rights on all options in the admin profile will cause it to deny SSH connections in from that user. Is there a specific access control item that needs to be read-write for you to be able to use the cli?
You have to look at the accessprofile and the categories. Just test it b4 you release it. Keep in mind that they can still get access to fnsysctl and if you allow scp you can have anybody conduct a restoral.
I haven't found any method for a use to just "backup" only with no other means. Let us know what you do. In thelong run you would find the fortimanager a better solution for this but at the cost of $$$$.$$ ;)
well it would be mostly for an automated tool to access the firewall and we want to have its own admin account. The desire to restrict access to that account is so that if someone were to get the password, they would have limited ability to do anything bad. The more likely scenario is that the software has some bug and causes a change in the configuration unexpectedly.
Either way, the admin guide specifically mentions that depending on your access level, parts of the cli structure may be unavailable but it does not specify that in order to access the CLI at all, you need x,y, and z permissions.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.