Least privilege access is a best practice for security hardening configuration that is widely suggested. It means that the admin account is provided with the lowest possible privilege access that does not affect functionality.

In this case, the requirement is admin can only download the FortiGate configuration backup. The following steps can be taken:

1. Navigate to the System Settings -> Admin Profiles -> Create New. In the Profile Name field, put any name for the profile and ensure to enable the 'Manage Device Configurations'. Leave the rest of the configuration as the default.
                                                             
   

    

2. Navigate to the System Settings -> Administrators -> Create New. Put the User Name and Password as required fields, and the rest of the fields can be configured based on the requirement. In the Admin Profile, select the profile name created in the previous step.
   
   

    

3. Log in using the credentials that have just been created to test the privilege access. After login, it is possible to see that the admin can only view Device Manager -> Device & Groups and each of the device configurations.
   
   
4. To download the FortiGate configuration, navigate to Device Manager -> Device & Groups -> Select the desired managed FortiGate to open the device database -> Dashboard: Summary, in this page, scroll down to Configuration and Install widget and select the numbers beside Total Revision. Select the revision with a green checkmark -> View Config -> Download.
                                                           
   

    

Additional tips: if any of these highlighted fields are required, the Manage Device Configurations needs to be at least Read-only, as it is necessary to display the device database. Without it being enabled, the admin user cannot see the device database, as shown in the picture in step 4: