Simple way to make the CLI have read-only authorization?

Is there a simple, straightforward way to adjust the authorization of all CLI users so that any new CLI session that starts is only permitted to perform read operations, and that any command that would write to the CDB will fail? And at the same time, continue to allow all operations from other northbound interfaces. Basically, we want to have a master switch that will make the CLI read-only. Is it possible through NACM or confd.conf?

If it’s not possible to have a single global switch, how would it be done through command rules?

The User Guide section 14.6.1 mentions an augmentation in the tail-f.yang for the leaf nodes “cmd-read-default” and “cmd-exec-default”, with some brief explanation following that, but I don’t understand how this can be utilized to achieve the result of making all CLI commands read-only. Thank you for any further explanation you can provide.

If you have not figured that out yourself yet: if you want to “switch”, you need to reconfigure the NACM rules (or have them operational, change your data provider and tell confd to reload the aaa configuration); and so as to make CLI sessions read-only you need to have a rule that prohibits all write access and has tacm:context set to "cli". Does this help?