Workfront allows you to create custom access groups within your instance for plan, work, review, and requester licenses (with some administrative access capabilities), but does not have an option to create an admin level "read only" access for users. Having this type of access could be extremely valuable for instances that require administrative level access to view specific objects, but you do not want those users to have write access to those objects.
A common use case for this is when using an API user for an integration. Due to the security risk of granting an API user full administrative access to an instance, most APIs can only have a very restrictive planner license to access the objects it needs to complete the integration flows. If your integration requires you to build out custom forms or other types of objects that you only want admins to have access to, but you also need the API to see, in the current version of Workfront, there are no great workarounds for this other than exposing that information to non-admins. Having the ability to create a restrictive "read-only" admin access, that I can customize to my needs, would allow administrators to grant APIs or specific users access to read specified administrative objects or "Admin Only" section fields in custom forms without creating the risk of giving users administrative level permissions.