It's not impossible. In fact it's quite easy as long as we're talking about the HTTP API here (and I assume we do, since we're in the NMSDK API area of the forum).
However, I would agree that creating a read-only CLI user is not possible, since there are some corner cases (like the vfiler commands, if I remember correctly) where destructive and read-only commands are not separated well enough.
Here's an example for a read-only API user, though:
useradmin role add myrole -a login-http-admin,api-system-get-info,api-aggr-list-info,api-volume-list-info,api-snapshot-list-info
useradmin group add mygroup -r myrole
useradmin user add myuser -g mygroup