diff --git a/playbooks/manual/fas-readonly/fas-readonly.sql b/playbooks/manual/fas-readonly/fas-readonly.sql
new file mode 100644
index 0000000000..492d3347b7
--- /dev/null
+++ b/playbooks/manual/fas-readonly/fas-readonly.sql
@@ -0,0 +1,25 @@
+--
+-- Make fas read only
+--
+
+
+REVOKE ALL PRIVILEGES on people from fas;
+GRANT SELECT on people to fas;
+
+-- This needs to stay so that people can still login.
+GRANT update (last_seen) on people to fas;
+
+REVOKE ALL PRIVILEGES on groups from fas;
+GRANT SELECT on groups to fas;
+
+REVOKE ALL PRIVILEGES on group_roles from fas;
+GRANT SELECT on group_roles to fas;
+
+REVOKE ALL PRIVILEGES on person_roles from fas;
+GRANT SELECT on person_roles to fas;
+
+REVOKE ALL PRIVILEGES on person_roles_fpca from fas;
+GRANT SELECT on person_roles_fpca to fas;
+
+REVOKE ALL PRIVILEGES on bugzilla_queue from fas;
+GRANT SELECT on bugzilla_queue to fas;
diff --git a/playbooks/manual/fas-readonly/fas-readonly.yml b/playbooks/manual/fas-readonly/fas-readonly.yml
new file mode 100644
index 0000000000..888c841269
--- /dev/null
+++ b/playbooks/manual/fas-readonly/fas-readonly.yml
@@ -0,0 +1,16 @@
+---
+- name: change fas db to readonly for most actions
+  hosts: db-fas01.iad2.fedoraproject.org:db-fas01.stg.iad2.fedoraproject.org
+  user: root
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+  tasks:
+  - name: copy the sql script to file
+    template: src=fas-readonly.sql dest=/var/lib/pgsql/fas-readonly.sql
+
+  - name: change permissions for relevant tables in the fas db
+    shell: psql -1 -v ON_ERROR_STOP=1 fas2 </var/lib/pgsql/fas-readonly.sql
+    become_user: postgres
+    become_method: sudo