Yes, this is possible as follows:
1) create a group containing only the resources you want the user to be able to access
2) create the user
3) create a role "read-only role"
- assign the group you created in step 1) to the group
- assign the user you created in step 2) to the role
- do not add any permissions to the role, beyond the implicit resource-read permissions, which are automatically assigned
For more info on the RHQ security model see:
Thanks a lot Ian, that is exactly what i was looking for.