Yes, you are correct, my default is admin.  I have not created access profiles in ISE.  I will try that.  Thanks for the reply and help.  

So I have this as my authorization result and still not working.  Is there something else I need to do?  Thanks again for the help!

Good good. Now go to FMC and map that authz profile text to a role in FMC

Thanks for the follow-up and help.  I am getting closer but not quite there.  

So these are my ISE authorization profiles in ISE.

Created these users on the FMC

Do I set these custom roles as default users or something else?   Didn't seem to work as expected but wondering if I can get your help?

Thanks in advance

@4qbuddy   Wondering if you can help me with this last step so I can cross this off my to-do list?  Thanks in advance.  

I see what you have done. You have created custom user roles on FMC. This is like creating another user on ISE for logging in to the GUI – its only controlled by ISE and not by an external authority like AD, if that makes sense?

Rather than create usernames for the ISE roles being passed, tick the checkboxes for “Administrator” and “Security Analyst (Read Only)” that are on your bottom picture. Its different layout than mine but I would imagine that a box appears where you can add “Class = Cisco_FMC_Admin” and “Class = Cisco_FMC_ReadOnly”.

Try it out, let me know

I got this working today and want to put an update on here to maybe help others.

Create your authorization profile in ISE

Then on FMC side, go to users, external authentication, and add the following.

Now any user part of that AD group will have Admin access. At the bottom, I changed my default user role to read-only.   You could create more ISE authorization profiles as needed if you have more roles.  Hope this helps!

Thanks for your help also @4qbuddy