Hi

Had the same issue with 2.2 only the other week.

Compare this config, alot of it was trial and error, Fortigate said couldn't be done.  But I'm guessing it will be around set vdom "root" "WIN-XP-7" "GENERIC-APP"

Depending on you forti firmware.

You will need to put in policys to deny access to other groups as anyone with any level in your tacacs will get full admin.

Let me know if this helps

CLI Commands for Fortigate Tacacs+ Read & ReadWR
Global
Config system accprofile
edit "Tacacs_RO"
set secfabgrp read
set ftviewgrp read
set authgrp read
set sysgrp read
set netgrp read
set loggrp read
set fwgrp read
set vpngrp read
set utmgrp read
set wifi read
next
end

 
VDOM Root
config user group
edit "Tacacs"
set group-type firewall
set authtimeout 0
set auth-concurrent-override disable
set http-digest-realm ''
set member "sitise01" "sitise02" "sitise03"
config match
edit 1
set server-name "sitise01"
set group-name "TACACS_NETWORK_ADMIN"
next
edit 2
set server-name "sitise02"
set group-name "TACACS_NETWORK_ADMIN"
next
edit 3
set server-name "sitise03"
set group-name "TACACS_NETWORK_ADMIN"
next
end
next
edit "Radius"
set group-type firewall
set authtimeout 0
set auth-concurrent-override disable
set http-digest-realm ''
set member "sitise03"
config match
edit 1
set server-name "sitise03"
set group-name "TACACS_NEWORK_ACCESS_R"
next
end
next
next
edit "TacacsRO"
set group-type firewall
set authtimeout 0
set auth-concurrent-override disable
set http-digest-realm ''
set member "sitise01" "sitise02" "sitise03"
config match
edit 1
set server-name "sitise01"
set group-name "TACACS_NETWORK_ADMIN_R"
next
edit 2
set server-name "sitise02"
set group-name "TACACS_NETWORK_ADMIN_R"
next
edit 3
set server-name "sitise03"
set group-name "TACACS_NETWORK_ADMIN_R"
next
end
next
end
config system admin TACACS
edit "TACACS"
set remote-auth enable
set accprofile "super_admin"
set vdom "root" "WIN-XP-7" "GENERIC-APP"
set wildcard enable
set remote-group "Tacacs"
edit "TACACSRO"
set remote-auth enable
set accprofile "Radius_Admins"
set vdom "root" "WIN-XP-7" "GENERIC-APP"
set wildcard enable
set remote-group "TacacsRO"
next
end
next
config user tacacs+
edit "siteise01"
set server "your IP"
next
edit "siteise03"
set server "your IP"
set authorization enable
next
edit "siteise02"
set server "your IP"
set authorization enable
next
end