Requirement:

Restrict admin users to take configuration backup on FortiGate and not have any access privileges to modify or change the configuration.

Create a custom Admin Profile under System -> Admin Profiles and select 'Create new'. 

Specify the Admin profile name example above 'BackupAdmin'. Next Permissions needs to be enabled to provide only access to take backup configuration which is as below:

In the Access Permissions settings, assign 'Read' permissions to all Access Controls except for the 'System' Access Control, which should be configured with 'Custom' permissions. Grant 'Read/Write' permissions exclusively to the 'Administrator Users' Access Control, while ensuring that all other Access Controls are assigned 'Read' permissions.

Create a new Admin User example named 'Backup' and select the Admin profile which was created above as 'BackupAdmin':

Once the admin user is created, log in to FortiGate using the 'backup' user and verify if a backup can be taken:

CLI Reference:

config system accprofile

    edit "BackupAdmin"

        set secfabgrp read

        set ftviewgrp read

        set authgrp read

        set sysgrp custom

        set netgrp read

        set loggrp read

        set fwgrp read

        set vpngrp read

        set utmgrp read

        set wifi read

        config sysgrp-permission

            set admin read-write

            set upd read

            set cfg read

            set mnt read

        end

    next

end

config system admin

    edit "backup"

        set accprofile "BackupAdmin"

        set vdom "root"

        set password ENC SH2rzqoHex2AFHNy8WhtEgie5YtgpQGqJaZzonEhrqaoTPKn70cbbmXCaDQW9Y=

    next

end