Now, We've already developed the GUI and the privilege stuff to the community and it works and looks good.
About the read-only access I tried the solutions with the 'rel types' described in link above and I tried with 'staff privileges' and it didn't work neither, So my possible solution is:
Modify each application of .Lrn/OACS to validate that their items are not shown and not modified (This could be a lot of modifications). I believe that maybe there is another solution instead of mine, so if you have another one, please let me know.