Currently it is not possible to configure an account with Read-Only access to the iControl REST API using BIG-IP web UI.
The following steps are required to perform this configuration:
1. Login to the BIG-IP Web UI
2. Navigate to System -> Users -> User List
3. Click on Create
4. Enter the Account User Name (i.e. ComtradeMonitoringAccount)
5. If you are creating a local account, enter the password, since for external accounts you will not be able to enter the password
6. Select the appropriate role except No Access (i.e. Guest role)
7. Click on Finished
8. Run the Set-ReadOnlyAccess.ps1 PowerShell script from management server, which can be found on this default location: C:\Program Files (x86)\Comtrade\Comtrade F5 BIG-IP MP\Management packs\Configuration tools Comtrade\Comtrade F5 BIG-IP MP\ Management packs\Configuration tools. After you run the script, you need to enter the device IP address of the BIG-IP device on which you created the Account User Name (i.e. ComtradeMonitoringAccount). You will be prompted for the Admin credentials. After that, enter Account User Name, which you created before.
For more detailed explanation you can checkout this blog post: https://www.hycusoftware.com/blog/deep-dive-using-remote-authentication-and-role-based-access-control-with-f5-big-ip-icontrol-rest-api/