1. Configure web profile administrative override under Security profiles -> Web Profile overrides.

2. Configure web-filter profile. In this example 'monitor all' profile is selected to block the social networking category.

The URL can be verified through https://www.fortiguard.com/webfilter to identify which category it falls in. 

Note:

Ensure that if the firewall policy is set to flow-based inspection, the web filter profile is also configured for flow-based inspection. 

3. Enable allowing users to override blocked categories and define the user group and profile name. In the 'default' profile, the social networking category is set to allow.

4. Configure the web-filter profile 'monitor-all' in the firewall policy.

Post this configuration, and verify by generating traffic. The end user will be prompted to enter the user credentials.

Upon successful login, browse any website that belongs to the social networking category. 

The block page is received since social networking is blocked in the 'monitor all' profile. Select override, and the page appears as shown in this image.

Once the user successfully overrides, an override entry will be generated. In this example, a user group has been used instead of the user. If another user logs in and belongs to the same 'TAC group', then FortiGate allows it to override transparently.

Related document:

Web profile override