1. Log in to the super admin account from FortiGate and create a read-only profile.
2. From GUI: Navigate to System -> Admin Profile -> Create New.

From CLI:

config system accprofile

    edit "Read only"
        set secfabgrp read
        set ftviewgrp read
        set authgrp read
        set sysgrp read
        set netgrp read
        set loggrp read
        set fwgrp read
        set vpngrp read
        set utmgrp read
        set wanoptgrp read
        set wifi read
        set cli-diagnose enable
        set cli-get enable
        set cli-show enable
        set cli-exec enable
        set cli-config enable
    next
end

3. Create an Administrator account for a read-only profile:

From GUI,  Go to System -> Administrators -> Create new -> Administrator.

From CLI:

config system admin
    edit "Test1"
        set accprofile "Read only"
        set vdom "root"
        set password ENC SH2FbjDIB1IS/v4X4M77vegU75YG0y0AP2LY3aghlG5xHpfA2ftUhVtVyiHidE=
    next
end

4. Log out and log in to FortiGate using the new admin user Test1. Instead of #, $ indicates a non-super-admin profile has logged in.

boson-kvm08 $ config firewall policy
Unknown action 0

boson-kvm08 $ sh firewall policy
config firewall policy
end

Note: 

'#' is for admin users with a super_admin profile, all other profiles have '$'.