In some cases, although a Read-Only Remote user account is created using TACACS authentication on FortiWeb, the user still receives Write access. Below is the configuration for the user account:

config user admin-usergrp
    edit "ACS"
        config members
            edit 1
                set type tacacs+
                set tacacs+-name "Cisco ISE"
            next
        end
    next
    edit "ACS_RO"
        config members
            edit 1
                set type tacacs+
                set tacacs+-name "Cisco ISE"
            next
        end

        set type remote-user
        set admin-usergrp ACS_RO
    next
    edit "ACS"
        set access-profile prof_admin
            config dashboard
                edit "sysinfo"

This scenario explains the configuration:

1. The ACS user has prof_admin rights and the ACS_RO user has only read-only rights, but when connecting to the device with ACS_RO, full permissions are granted instead of read-only.
2. When ACS_RO is set first with read-only rights and ACS is second with prof_admin rights, the ACS user inherits the read-only permissions from ACS_RO, despite having full permissions.

The key issue in this case is the 'wildcard' setting in the system admin configuration. It is important to ensure that 'wildcard' is disabled in the system admin settings.

The command to disable the wildcard is as follows:

            config system admin
                edit "ACS"
                    set wildcard disable
            end
        end
        config system admin
            edit "ACS_RO"
                set wildcard disable
        end
end

This issue occurs because the wildcard setting was enabled in the admin user configuration.

Wildcard Explanation:

This is used together with the Remote User.
When a wildcard is disabled, the system matches the user in the remote server exactly against the Administrator name and password specified.
When the wildcard is enabled, any users in the remote server will match.