I have no experience with FortiGate, however, for Palo Alto you can define the Admin Roles as you with, and then you just reference their names on ISE TACACS Profiles custom attributes. For example, if you created two Admin Roles, one you called it RW-Admins, and another RO-Admins, then from ISE TACACS Profiles custom attributes, you can reference those two by creating two TACACS profiles, one for the RW and another for the RO. In both profiles you will use the MANDATORY Type, the VSA, in this case will be PaloAlto-Admin-Role and/or PaloAlto-Panorama-Admin-Role, and the value. The value is the Admin Roles Profiles you created, in this case would be RW-Admins and RO-Admins.
To restrict the CLI accesses, you will have a tab called Command Line in the Admin Role Profile. When you go there you can select one of the supported options:
None: No CLI access at all, this is the default I think.
superuser: Full access.
superreader: Read only access.
deviceadmin: Full access to all firewall settings with the exception for creating new accounts or vsys which are only allowed by a super users.
devicereader: Read only access to all the firewall settings except for the password profiles and the other admin accounts.
For Panorama it is very similar to the firewalls, however, Panorama wouldn't have the deviceadmin and the devicereader roles as those are more related to the firewalls. Panorama has also a role called panorama-admin which is very similar to the superuser role with the exception for creating, editing or deleting the Panorama admins and some restrictions when it comes to push and export configs.
You should also set the Admin Role Profile to read only for the UI, you can do that from the main tab which is called Web UI. Some of the menus won't support read only, in that case you can just suppress them if you want.
