FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 191429


When using multiple VDOMs in the FortiGate configuration, there are two options to create an admin user that has the visibility of all VDOMs:

- A global admin account with read write (full) privileges . This is the default admin account profile (super_admin)
- A read only admin account, with a visibility on all VDOMs.

This article describes how to create the read only admin user with access to all VDOMs.


1) Create an admin profile with read only privileges from the CLI:

# config global
# config system accprofile

    edit "admin_readonly"
        set admingrp read
        set authgrp read
        set endpoint-control-grp read
        set fwgrp read
        set loggrp read
        set mntgrp read
        set netgrp read
        set routegrp read
        set sysgrp read
        set updategrp read
        set utmgrp read
        set vpngrp read
        set wanoptgrp read
        set wifi read
        set scope global

By default, this admin profile option is configured with 'set scope vdom', which restricts the admin profiles VDOM visibility.
When this admin is created
the interesting option is the 'set scope global' setting.
It has to be modified manually via CLI only in order to prevent accidental privileges for admin users.

This is not possible to  see the 'Global' VDOM from GUI or CLI after login, even if the intention was to create an all access profile.
A global configuration change cannot be done unless either using a super_admin profile or changing the account profiles scope to 'global' from the CLI.

2) After the admin profile is created with the correct scope, create an admin user account and assign it the above created admin profile from the CLI:


# config global
# config system admin

    edit "admin_read"
        set accprofile "admin_readonly"

1) Creating Admin Profile: 

Login to the firewall as admin, select System, -> Admin Profiles, and then select Create new.

Name: Give Any name to the profile. 

For all the access permissions select 'Read' mode, so that the concerned administrator will be able to view only, he will not be able to change any setting. 


Permit use of CLI diagnostic commands: 

If this option is enabled, Admins will be able to execute diagnostic commands in the FortiGate. 

Here is the reference screenshot: 




Select 'SAVE' button, the profile will be saved. 


Now ti is necessary to create new administrator and attach this READ ONLY profile to that specific user. 


2) Creating Administrator: 

Select System -> Administrators and select Create New.

Fill in all the fields like name, and password, and then attach the newly created profile 'read only' to the admin user. 


Refer to the below screenshot: 





Now try to log in with this user, only read-only access will be available.