diff --git a/mariadb/DOCS.md b/mariadb/DOCS.md
index a6781a8..f44d26f 100644
--- a/mariadb/DOCS.md
+++ b/mariadb/DOCS.md
@@ -28,9 +28,15 @@ databases:
 logins:
   - username: homeassistant
     password: PASSWORD
+  - username: read_only_user
+    password: PASSWORD
 rights:
   - username: homeassistant
     database: homeassistant
+  - username: read_only_user
+    database: homeassistant
+    privileges:
+      - SELECT
 ```
 
 ### Option: `databases` (required)
@@ -61,6 +67,13 @@ This should be the same user name defined in `logins` -> `username`.
 
 This should be the same database defined in `databases`.
 
+### Option: `rights.privileges` (optional)
+
+A list of privileges to grant to this user from [grant][grant] like `SELECT` and `CREATE`.
+If omitted, grants `ALL PRIVILEGES` to the user. Restricting privileges of the user
+that Home Assistant uses is not recommended but if you want to allow other applications
+to view recorder data should create a user limited to read-only access on the database.
+
 ## Home Assistant Configuration
 
 MariaDB will be used by the `recorder` and `history` components within Home Assistant. For more information about setting this up, see the [recorder integration][mariadb-ha-recorder] documentation for Home Assistant.
diff --git a/mariadb/config.json b/mariadb/config.json
index 5f49d6c..4dd6cc1 100644
--- a/mariadb/config.json
+++ b/mariadb/config.json
@@ -25,7 +25,15 @@
   "schema": {
     "databases": ["str"],
     "logins": [{ "username": "str", "password": "password" }],
-    "rights": [{ "username": "str", "database": "str" }]
+    "rights": [
+      {
+        "username": "str",
+        "database": "str",
+        "privileges": [
+          "list(ALTER|CREATE|CREATE ROUTINE|CREATE TEMPORARY TABLES|CREATE VIEW|DELETE|DELETE HISTORY|DROP|EVENT|GRANT OPTION|INDEX|INSERT|LOCK TABLES|SELECT|SHOW VIEW|TRIGGER|UPDATE)?"
+        ]
+      }
+    ]
   },
   "image": "homeassistant/{arch}-addon-mariadb"
 }
diff --git a/mariadb/rootfs/etc/services.d/mariadb/run b/mariadb/rootfs/etc/services.d/mariadb/run
index 56562c1..9305dc1 100644
--- a/mariadb/rootfs/etc/services.d/mariadb/run
+++ b/mariadb/rootfs/etc/services.d/mariadb/run
@@ -84,8 +84,15 @@ for right in $(bashio::config "rights|keys"); do
     USERNAME=$(bashio::config "rights[${right}].username")
     DATABASE=$(bashio::config "rights[${right}].database")
 
-    bashio::log.info "Alter rights for ${USERNAME} to ${DATABASE}"
-    mysql -e "GRANT ALL PRIVILEGES ON ${DATABASE}.* TO '${USERNAME}'@'%';" 2> /dev/null || true
+    if bashio::config.exists "rights[${right}].privileges"; then
+        PRIVILEGES=$(bashio::config "rights[${right}].privileges")
+        bashio::log.info "Granting ${PRIVILEGES} to ${USERNAME} on ${DATABASE}"
+        mysql -e "REVOKE ALL PRIVILEGES ON ${DATABASE}.* FROM '${USERNAME}'@'%';" || true
+        mysql -e "GRANT ${PRIVILEGES} ON ${DATABASE}.* TO '${USERNAME}'@'%';" || true
+    else
+        bashio::log.info "Granting all privileges to ${USERNAME} on ${DATABASE}"
+        mysql -e "GRANT ALL PRIVILEGES ON ${DATABASE}.* TO '${USERNAME}'@'%';" 2> /dev/null || true
+    fi
 done
 
 # Generate service user