At my workplace, the command-line database tool (which is essentially just a wrapper around the standard MySQL CLI) connects with a read-only role by default, and you need to explicitly pass a flag to it to connect with a read-write role. The two roles use separate ACLs so we can grant someone just read-only access if they don’t need write access.
At my last job I was given write permissions to production and I asked for read only credentials instead, I know my own stupidity
At my workplace, the command-line database tool (which is essentially just a wrapper around the standard MySQL CLI) connects with a read-only role by default, and you need to explicitly pass a flag to it to connect with a read-write role. The two roles use separate ACLs so we can grant someone just read-only access if they don’t need write access.