Skip to content

Create Admin Profiles (Permissions)

An admin profile is a permission template. Each admin user is assigned a profile that defines which menu sections they can view, edit, or are blocked from. Use profiles to scope what junior techs / read-only auditors / network-only admins can touch.

Built-in Profiles

  • super_admin — full access. Reserved for the system itself; you can use it but better to create your own.
  • prof_admin — full operational access but can't add other admins.

Create custom profiles for everyone else.

Steps

  1. System → Admin Profiles → + Create New.
  2. Fill in:
    • Name — e.g. Network-Only.
    • Comments — what's the role.
    • Permissions — for each menu category (Network, Security Profiles, VPN, Log & Report, etc.), set:
      • None — hidden from menu.
      • Read — view-only.
      • Read/Write — full access.
    • For VDOM-specific deployments, also set the VDOM scope.
  3. OK.

📸 Screenshot needed

System → Admin Profiles → Create New, showing the permission matrix with various menu sections set to Read vs Read/Write.

Common Profile Templates

  • Network-Only: Read/Write on Network + Policy & Objects; None on everything else. For people configuring routing/firewalling but not security/VPN.
  • Read-Only Auditor: Read on everything; None on System (so they can't see other admins).
  • VPN-Manager: Read/Write on VPN + User & Authentication; Read on Network; None on rest.
  • Log-Viewer: Read on Log & Report; None on rest.

CLI Equivalent

config system accprofile
edit "Network-Only"
    set scope global
    set fwgrp read-write       # Policy & Objects
    set netgrp read-write      # Network
    set sysgrp read-write
    set vpngrp none
    set utmgrp none
    set wanoptgrp none
    set authgrp none
    set loggrp read
next
end

Apply to an Admin

When creating/editing an admin (System → Administrators), set Administrator Profile to your custom profile.

Verify

Log in as a user assigned the new profile. Menus should hide / read-only / read-write as configured.

Common Issues

  • Profile too restrictive. User can't do their job. Add the missing permission groups.
  • Profile too permissive. User can see / change things they shouldn't. Tighten.
  • Changes don't apply. Active session — log the user out and back in.
  • VDOM admin sees all VDOMs. Profile scope set to global. Set to vdom and assign specific VDOMs.