Creating a role which can access to all parts of the console but with Read Only access only

ITMS 8.x

First, clone the role which has access to all part of the console (like Symantec Administrators).  Then change all appropriate permissions in Security Role Manager to Read Only following the steps below:

1. In Settings>All Settings>Notification Server>Account Management>Roles, clone the "Symantec Administrators" role.
2. Choose a name for the cloned role.
3. Right-click on the newly created role and select Security Role Manager. 
4. In the View dropdown select "Resources".
5. In the Item Permissions pane, select the following:
   
   • Read
   • Read Resource Association
   • Read Resource Data
     NOTE: This prevens the role from being able to change any resource
     
     
6. Press Advanced and select "Replace permissions on all child objects" as well.
7. To make the role so it is unable to change polices or tasks, you would need to do the Steps 5-6 for all Data Classes, Items, including Policies and Tasks.
8. You can create a report using the query in the attachment to this article(More_than_read_access.txt) to identify which resources have the "Write" privilege still selected for the newly cloned role.
   • Replace the  %Role%  in the first line with the GUID of the Role you are working on.
   • Double click on each row of the resolved report and do step 5 for each line again. (Every time coming back to Security Role Manager page, make sure appropriate role is selected)