Starting from v7.4.4, backing up a configuration file requires read/write access. Therefore, administrators with read-only access cannot back up a config file from the FortiGate or through SCP.

In cases where using the 'super_admin' profile with full access is not desirable due to security concerns, a custom admin profile with 'sufficient' Read/Write permissions can be created for the SCP backup to be taken.

A custom Administrator Profile should be created under 'System > Admin Profile' by selecting 'Create New'

In the Access Permissions, assign 'Read' permissions to all Access Controls except for the 'System' Access Control, where 'Custom' permissions need to be selected. Apply 'Read/Write' permissions only to 'Administrator Users' Access Control and 'Read' permissions to the rest of the Access Controls.

Create a new administrator user by going to 'System > Administrators' and attaching the newly created 'scp-profile' admin profile.

Test the configuration file backup via SCP by using the newly created administrator user, which in this case is named 'scpadm':

scp -O scpadm@<FortiGate_IP>:sys_config <location>

If the SCP protocol is correctly enabled on the FortiGate, the above result should be visible after performing the test.

Refer to this KB article: How to download a FortiGate configuration file and upload a firmware file using secure copy (SCP) 

Note:

Although administrator users, using the newly created admin profile, have Read/Write permissions in the 'Administrator Users' Access Control, are unable to create other admin profiles with permissions exceeding those of the original admin profile, in this case, the 'scp-profile' admin profile. Attempting to do so will result in the following error: