When you are working in a SOX Compliant account, is there a way to create a Role only with view permissions in Production in such a way that you can only compare and pull files with SDF from Production but you can't push/deploy?

no idea, but I'm curious so I'm replying to I get updates on the thread

Think you'll have to try it out (and let us know!). A customized version of the developer role? There's info here about the base permissions for an SDF role. I think you may only "need"

Setup > Web Services

and

Setup > User Access Tokens

. But I may be wrong

yeah that's what I was thinking too, but I didn't really want to think about it too hard 😂

You can do this with CI/CD. So what you would want to do is create the deployment keys so that only the CI/CD can deploy to production, and that deployment is going to happen from the commit to a specific branch in my case main. Then you know that branch is always what is in production. To implement change management, you could download the branch and compare to the file cabinet, but you'll want to lock down the file cabinet as well. With good branch management, you know have really good change control, but the implementation of CI/CD is a whole other can of worms and my suggestion here is lots of very small targeted "microservice" like deployments so you are not messing with the entire filesystem at once, and then I would take it a step further and build automated testing into your deployment that tests core functionality of all your services before the deployment. The way I have done this is to write everything in an API-First like approach, and then you can put Newman into your CI/CD pipeline that can run Postman collections, or better yet, you can implement Karate. Change management will become your best friend so get it dialed.