I am using view configs to give viewing permissions but is there a way to implement a read only. Where if the user has the right role, they can't take any actions on the view? Right now my only solution is manually configuring this for every component.
One option is to create a view custom property, readOnly, say, and bind each of the "editable" properties to it. It's then simply a matter of right-click, Copy Binding followed by Paste Binding later.
Not sure about your exact setup, but my personal preference is to primarily put security at the Tag level. That way if something gets missed for security on screen you don't have to worry about it as much. However, I understand that not everything that needs to be protected can be done from tags. For other things like queries for example, I think it still best to put the security at the base level (in this example query level).
For this project most of the data access is done through scripting, so I think if I'm understanding you correctly, it might be hard for me to implement that way.
Hmmm, since it is mostly scripting that's probably one of the more difficult methods to lock down, some potential solutions that come to mind:
Security via Graphics - What @Transistor mentioned seems like a pretty good solution for locking items down from the graphic level.
Local Scripts Security Check - If your scripts are local, then check the security before you run the script or have a check in the script at a component by component level.
Global Scripts Security Check - If your scripts are global, then pass security parameters to the global script where you check for security as part of the script.