Read only account to get device configuration

nbgiridar · ‎11-30-2020

Hi All,

is it possible to create a read only account that can run below command

config global config system console set out standard end show null

Alexis_Esp · ‎12-01-2020

Hello,

I'm not sure I understand the question well, but I don't think you can filter permissions that much. Take a look at the access profiles: https://docs.fortinet.com/document/fortigate/6.2.2/cli-reference/2620/system-accprofile

and administration profiles: https://docs.fortinet.com/document/fortigate/latest/administration-guide/294491/administrator-profil...

You can filter much of the information to the administrator of your choice, but not as much.

nbgiridar · ‎12-01-2020

Thank you Alexis,

i need an account that can run the above command but with out any permission to change any settings

Alexis_Esp · ‎12-01-2020

Hi,

if you only need the user to be unable to modify, a read only user is sufficient. If, in addition, you only want me to see certain parts of the configuration, you will need test with the profiles.

Br

Yurisk · ‎12-01-2020

Not exactly a read-only administrator user, but rather a user that can run only selected set of CLI commands - no, built-in means of Fortigate do not provide such option.

Yuri Slobodyanyuk

nbgiridar · ‎12-02-2020

thank you all

jruan · ‎01-02-2025

Update if anybody got to this thread. A possible answer to this may be utilising TACACS+ to authorise commands. It might be a killer depending on your use case, but still.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-TACACS-authentication-and...

Read only account to get device configuration

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website