I Would create different roles for the different systems (DEV/TEST and Production).
In some companies, the Development team only has display access in production and if really needed, they use a firefighter procedure to solve any problems in production. In dev/test they have broader roles with development authorizations.
Hope this helps!