Setup readonly users

i have AD Setup and the backend roles are showing currently for users.
All my regular users should only be able to query the logs in kibana. Basically no write/update on the indexes.
Which security roles should i be granting at cluster and index levels for a role i created for them ?