Skip to main content

Read-Only Admin Profile

(2022-02-15)

Problem

I want a (or a bunch of) read-only admin(s) with global scope.

Solution

# config global
# config system accprofile
    edit "admin_readonly"
        set admingrp read
        set authgrp read
        set endpoint-control-grp read
        set fwgrp read
        set loggrp read
        set mntgrp read
        set netgrp read
        set routegrp read
        set sysgrp read
        set updategrp read
        set utmgrp read
        set vpngrp read
        set wanoptgrp read
        set wifi read
        set scope global
    next
end

Notes:

  • these instructions are for 6.2 or higher, some of these "set" commands don't work in 6.0.
  • for scope restrictions, set scope is your friend.

(Source)