by default, every user group with "web service access" has full admin rights on the selected report suites. there is no way to reduce the permissions to "read-only" on report suite settings.
the "web service access" should only trigger, if a user group is allowed to use the API credentials. the single permissions to read/edit/delete anything within report suites should be based on other permissions (eg. the existing options for user management)