troy,
this is not possible today.
short note on roles: we have only several pre-canned roles today with a fixed set of permissions.
we want to move in the direction where the system uses fine-grained permissions for particular actions and the pre-canned user roles each have a list of permissions that can be adjusted by admins.
incrementally later, introducing a new feature for custom roles that enables admins/managers to associate a list of permissions to each role.
for now we suggest to our customers to use the pre-canned roles and know that we treat cloud_controller_admin as a special type of admin user. we do not have a way to do a read-only admin user currently.
i definitely understand the need for this use case and we're under active discussions about how to address it.
thanks,
james