Yes, this is absolutely correct, the code checks the R/W status of the database. If it is set to read-only, it will not be copied up to the durable directory. The first version which has this feature are kits based off of IRIS 2021.2.

You can use the Get and Modify methods in coordination with the Security.Resources:List() query (which allows wildcards). Here is some

untested code which will give you an idea of what you can do:

%SYS>s x=##Class(Security.Roles).Get("%developer",.Properties)
 
%SYS>zw Properties
Properties("Description")="A Role owned by all Developers"
Properties("GrantedRoles")=""
Properties("Resources")="%DB_%DEFAULT:RW,%DB_IRISLIB:R,%DB_IRISLOCALDATA:R,%DB_IRISTEMP:RW,%DB_USER:RW,%Development:U,%DocDB_Admin:U,%Service_Console:U,%Service_DocDB:U,%Service_Object:U,%Service_SQL:U,%Service_Telnet:U,%Service_Terminal:U,%Service_WebGateway:U,%System_CallOut:U"

;Now get the list of resources you want using a result set.

Set Rset = ##class(%ResultSet).%New("Security.Resources:List")
 '$$$ISOK(Rset) $SYSTEM.Status.DisplayError(%objlasterror) q
 Status=Rset.Execute("*") ; See class documentation of what you can use for wildcards here
 '$$$ISOK(Status) Do $System.OBJ.DisplayError(Status) q

s ResourceString=""

 While Rset.Next(.Status) {
 s Resource=Rset.Data("Name")
s ResourceString=ResourceString_Resource_":RW"_","

}

 '$$$ISOK(Status) Do $System.OBJ.DisplayError(Status) q
s ResourceString=$e(ResourceString,1,*-1) ; Remove trailing comma
;Now add to the existing resource string. Duplicates are ignored.

s Properties(Resources)=Properties("Resources")_","_ResourceString

;Now save it

s Status=##Class(Security.Roles).Modify("%developer",.Properties)

Take a look at the LDAP.MAC routine in the SAMPLES database. Look at Example 5 which shows how to change a password in Active directory using LDAP.