Did you know:

You can assign a user the snc_read_only role and it will make everything which they can already access become read only. This role does not function by itself and must be assigned with other roles.

For example:

Customer requires global read only (eg, all Script includes, Bussiness rules etc) you can assign the user admin and scn_read_only role.

Users with the snc_read_only role have the following restrictions regardless of other roles and privileges they have.

• Cannot insert, update, or delete records from the UI or when using the GlideRecord API.
• Cannot activate or upgrade plugins.
• Cannot directly run SQL.
• Cannot upload XML files.
• Can only run background scripts when on an instance in the public sandbox environment.