1. Configure web profile administrative override under Security profiles -> Web Profile overrides.

2. Configure web-filter profile. In this example 'monitor all' profile is selected to block the social networking category.

The URL can be verified through https://www.fortiguard.com/webfilter to identify which category it falls in. 

3. Enable allowing users to override blocked categories and define the user group and profile name. In the 'default' profile the social networking category is set to allow.

4. Configure the web-filter profile 'monitor-all' in the firewall policy.

Post this configuration, and verify on generating traffic. The end user will be prompted to enter the user credentials.

Upon successful login, browse any website that belongs to the social networking category. In this example, have tried accessing Facebook.

Block page is received since social networking is blocked in the 'monitor all' profile. Select override and the page appears as below in this image.

Once the user successfully overrides, an override entry will be generated. In this example, a user group has been used instead of the user. If another user logs in and belongs to the same 'TAC group' then FortiGate allows to override transparently.

Related document:

Web profile override