-- Running this query against your "RecastManagementServer" database will create a new role called "ReadOnly" with all read permissions enabled. (Updated 11/09/2023 - Hammann) SET IDENTITY_INSERT [dbo].[Roles] ON INSERT INTO [dbo].[Roles] ([Id], [Name]) VALUES (5001, 'ReadOnly'); INSERT INTO dbo.rolepermissions (RoleId, PermissionID) SELECT 5001, p.ID FROM dbo.permissions p WHERE p.Name IN ( 'ActiveDirectoryCleanupTool', 'GetObjectContainerItems', 'GetDrivers', 'GetAssetIntelligenceInventoriedSoftware', 'GetMachinesWithMBAMKeys_v2', 'GetMachinesWithCmBlmKeys', 'GetMBAMCompliance', 'GetAutomaticDeploymentRules', 'GetUserCollectionsinFolder', 'GetDeviceGroupMemberships', 'OpenCShare', 'GetComputerWarranty', 'TestMemcmServiceConnection', 'GetADUsers', 'GetMemcmServiceConnection', 'GetADComputersInGroup', 'GetSites', 'GetBitLockerRecoveryData', 'ContentDetails', 'GetTaskResults', 'GetAllVirtualizationBasedSecuritySettings', 'ListAzureActiveDirectoryServiceConnections', 'GetApplicationsDeployedToUsers', 'GetUsers', 'ClientInformation', 'GetSoftwareUpdatesByCollections', 'GetScopeMemberships', 'GetDistributionPointContent', 'GetQueries', 'GetDistributionPointConfigurationStatus', 'GetADUser', 'GetBoundaryGroups', 'GetContentStatus', 'GetStatusMessageQueries', 'GetADContainers', 'GetDevicesInSiteScope', 'ListSoftware', 'ListActiveDirectoryServiceConnections', 'ReadOnly', 'GetWarrantyInformation', 'GetMbamServiceConnection', 'GetADGroupsInGroup', 'GetUserDevices', 'GetChassisInformation', 'GetDistributionPointGroupStatus', 'GetManufacturerCounts', 'GetGlobalConditions', 'PingComputer', 'GetDefenderStatus', 'GetMBAMComplianceForAllMachines', 'GetUnifiedWriteFilterFeatureStatus', 'ListScopes', 'GetComputersWithoutLapsClient', 'GetVirtualHardDisks', 'TestServiceConnection', 'GetDevicesByMACAddress', 'GetSiteDeviceCollectionsWithFolders', 'GetUserDevicesByUsername', 'GetDeviceCollectionsinFolder', 'GetSiteDeviceCollectionsWithFoldersByCollections', 'GetDistributionPointGroupStatusforPackage', 'GetSecurityScopes', 'GetSystemOperatingSystemInformation', 'GetAdminTrendList', 'SearchPrincipal', 'GetParentOUs', 'SearchADComputers', 'GetConflictingRecords', 'ListRoutes', 'GetCategoryInstanceById', 'GetOperatingSystemImages', 'GetAllUsersCore', 'OpenContentSource', 'GetTrend', 'GetAdGroupByDistinguishedName', 'GetDiscoveryMethods', 'GetRequiredSoftwareUpdates', 'GetDefenderExclusions', 'GetSecureBootStatus', 'GetOverlayConfiguration', 'GetAdContainerByDistinguishedNameCore', 'GetGroupMembers', 'GetAllSoftwareUpdates', 'GetSecurityByName', 'GetPowerConfigurationsforComputer', 'GetADGroupsInGroupCore', 'GetMigrationJobs', 'GetPermissionsForRole', 'GetExecutionHistory', 'GetDevicesBySmBiosGuid', 'GetDistributionPointStatusforPackage', 'ViewReleaseNotes', 'GetComputersWithX64LapsClient', 'Get4XActionExecutionGroup', 'GetADGroups', 'GetOperatingSystemInstallers', 'GetUserStateMigrations', 'GetADGroupsCore', 'GetDriverPackages', 'ListProxies', 'GetADOUs', 'OpenRecastEiReportViewer', 'GetSystemConsoleUsageData', 'GetCollectionFolderInformation', 'GetApplications', 'GetDeployedPrograms', 'GetSystemGuardSecureLaunchSettings', 'GetAccounts', 'GetDeploymentTypesForApplication', 'ListProfiles', 'GetUserSessions', 'GetUserAndRoles', 'GetBootImages', 'GetCollectionById', 'GetAssetIntelligenceCatalog', 'GetAdGroupByDistinguishedNameCore', 'GetADComputer', 'GetBatteryInformation', 'GetMalwareDetected', 'GetSoftwareUpdatesInGroup', 'GetAllContentStatus', 'OpenComputerInServiceNow', 'GetADComputersCore', 'GetUserCollectionMembersCore', 'GetTaskSequenceContent', 'ListMbamServiceConnections', 'GetClientOperations', 'GetActionExecutionGroup', 'GetApprovalRequests', 'GetTPMHashForUser', 'GetAlertSubscriptions', 'GetDeviceCollectionMembers', 'GetConfigurationItems', 'GetAdContainerByDistinguishedName', 'GetEndpointProtectionFirewallPolicies', 'GetUefiSecureBootStatus', 'MissingSoftwareUpdates', 'ListValues', 'GetRoles', 'GetSecurity', 'GetTrendList', 'GetSecurityRoles', 'GetDevicesByCreationDate', 'GetDeviceId', 'GetAllUsers', 'GetDirectoryEntries', 'RepopulateAllScopes', 'GetProxyJobDetails', 'GetAdContainerByObjectGuid', 'GetDeployments', 'GetDeviceCollectionMembersByCollections', 'GetDPGroupsWithMembers', 'GetNonCompliantUpdateStatuses', 'GetCollectionsforUser', 'GetRecentDevicesScanned', 'GetBaseboardInformation', 'GetAllAlerts', 'Open', 'GetGlobalConfigurationIssues', 'GetAllDeviceCollectionsByCollections', 'GetFileExclusions', 'ApplicationRevisionHistory', 'GetWriteFilterStatus', 'GetCollectionVariablesforDevice', 'GetFailedContentOnDistributionPoint', 'GetSystemBiosInformation', 'GetActiveAlerts', 'ListHives', 'GetComputerSystemInformation', 'ListAgentGateways', 'GetAllCollections', 'GetValue', 'StatusMessages', 'GetTpmStatus', 'GetRegistryExclusions', 'TestActiveDirectoryServiceConnection', 'GetAdContainerByObjectGuidCore', 'GetSoftwareMeteringRules', 'OpenUserInServiceNow', 'GetExecutionHistoryForJobID', 'GetAllDistributedContent', 'ListMemcmServiceConnections', 'GetADContainersCore', 'TestNewServiceConnection', 'ListAgents', 'GetComputersWithX86LapsClient', 'GetCertificates', 'GetPermissionsforUser', 'GetAdGroupByObjectGuid', 'GetServiceWindowsforComputer', 'GetADUsersInGroupCore', 'GetClientSettings', 'GetUserCollectionMembers', 'GetDPGroupTaskSequenceContent', 'GetADUsersCore', 'GetApplicationRevisions', 'GetComputerSystemProductInformation', 'GetBitLockerStatus', 'GetAllDeploymentTypes', 'ListServices', 'GetDistributionPointGroups', 'GetDevicesInCollectionScope', 'GetDeploymentPackages', 'GetRecastManagementServerLogs', 'GetSystemFirmwareStatus', 'GetAllUserCollections', 'GetMachinesWithMBAMKeys', 'GetLoggedInUsers', 'GetSiteStatus', 'GetPackages', 'GetADUsersInGroup', 'GetDeviceCollectionInformationforDevice', 'GetPermissionDetailsforUser', 'GetRunningProcesses', 'ListActionExecutionGroups', 'GetEndpointProtectionAntimalwarePolicies', 'GetDistributedSoftwareUpdates', 'GetAdministrativeUsers', 'GetTaskSequences', 'GetPrimaryGroupForAccount', 'GetSystemsBitLockerEncryptionStatus', 'GetVirtualizationBasedSecuritySettings', 'GetADGroup', 'GetWindowsFirewallProfiles', 'GetApplicationByModelId', 'GetADComputerWithLAPSData', 'GetWindowsFirewallRules', 'RunStatusMessageQuery', 'SearchOUs', 'GetDeviceCount', 'GetDeployedApplicationsForUser', 'Read', 'ListSubkeys', 'GatherSCEPLogs', 'GetEnrollmentSettings', 'GetAssetIntelligenceHardwareRequirements', 'GetUserCollectionFolders', 'GetUnknownDevices', 'GetADComputersBitLockerStatus', 'GetTPMHash', 'OpenRegedit', 'SearchADGroups', 'GetAllSettings', 'DeployedApplications', 'GetComponentStatus', 'GetADComputers', 'GetADComputersInGroupCore', 'GetAdGroupByObjectGuidCore', 'GetDomain', 'GetGroupMemberShips', 'IsAccountEnabled', 'SearchADUsers', 'GetActiveDirectoryServiceConnection', 'GetAllPermissions', 'GetRolesForUser', 'GetTrendsByType', 'GetRecoveryPasswordFromDevice', 'GetConfigurationBaselines', 'GetDeployedTaskSequences', 'GetServiceWindows', 'GetUserPolicyEndpoint', 'PackageInformation', 'TaskSequenceInformation', 'GetActiveDirectoryForests', 'GetAllDeviceCollections', 'GetAllDevices', 'GetAllDevicesInOu', 'GetBoundaries', 'GetCollectionsForDevice', 'GetCompliantUpdateStatuses', 'GetConfigurationBaselines', 'GetDevicecollectionFolders', 'GetDeviceCountForLicensing', 'GetDistributionPoints', 'GetDistributionPointsInDistributionPointGroup', 'GetInstalledSoftwareUpdates', 'GetServersAndSiteSystemRoles', 'GetSoftwareUpdateGroups', 'GetSoftwareUpdatesByResourceIds', 'GetUserCollectionsWithFolders', 'ManageComputer', 'ResourceExplorer', 'AppliedProfileStatus', 'GetRecoveryKeysForDevice', 'TestMbamServiceConnection', 'GetAllLocalGroupMembers', 'FindFileExclusions', 'FindRegistrExclusion', 'GetCredentialGuardSettings', 'ListTasks', 'ReadOnly' ); SET IDENTITY_INSERT [dbo].[Roles] OFF