User with Read-only privileges

Is it possible to have a 2nd user who has limited privileges, such as read-only? I see that we can now buy access for another (SSO) admin, invited them in and merge networks and then that admin can be limited to read-only, but is that the only way to make this happen? All we want is to be able to give a member of staff read-only access for monitoring and support purposes. Docs are not all that clear (perhaps as SSO is new?)

Thanks,

Fraser.