if you change your users to READ only, then the programs that do the updates will not load properly for them and will therefore become useless and inoperable, unless you have code within the program that adopts authority.
the simplest way is to create a GROUP profile for each department. define within that GROUP profile the access rights afforded to the general user class in that department. use ChgUsrPrf to attach the users to the GROUP profile for their department/area.
of course, if the system is only menu driven and the user cannot get to the IBM supplied menus and you set their LmtCpb (Limit Capabilities) to *YES, then they should not be able to get to system functions anyway.
you should also devise a program menu and set that as their AtnPgm (Attention Program) so that when they press the Attention Key, they go into a CONTROLLED menu that does not allow for IBM menu access.
the best and simplest form of security is a well managed menu system. security is for keeping strangers out of your system and coralling users who may wander from the herd.