1. FortiAuthenticator should already be configured as a TACACS+ server with a local user and the authorization rule. Then, a service to be added to the rule using the attribute value pair: admin_prof=read-only (FortiWeb only supports the attribute admin_prof):

The rest of the configuration should be as follows (TACACS is the local username on FortiAuthenticator):

2. An Administrator 'Tacacs_user' (as an example) to be added on FortiWeb, pointing to FortiAuthenticator IP:

    

   

    

3. A profile name to be created on FortiWeb, 'read-only' matching exactly the attribute value created on FortiAuthenticator above. This profile can be customized as per need :

    

   

    

4. Access profile override to be enabled on CLI:

FortiWeb# config system admin

FortiWeb (admin) # edit Tacas_user

FortiWeb (Tacas_user) # set accprofile-override enable

FortiWeb  (Tacas_user) # end

After the authentication of TACACS+ user (for example via FortiWeb CLI), no configuration is allowed as it is set read-only:

FortiWeb $ config

<Enter>

Related document:
Offloading HTTP authentication and authorization