There are plug-ins that allow bypassing of the Dashboard upon login.
Can’t think of any directly at the moment by name, but a quick search of “login dashboard” should reveal the proper results in the plug-in directory.
Read-only access is a given for the Subscriber role. I don’t see any reason to go beyond that, but you could always create a “Staff” role with the same permissions if naming is an issue.
https://codex.www.ads-software.com/Roles_and_Capabilities
That link, at the very bottom, has some resource links to roles and capabilities plug-ins that will allow you to create the “Staff” role.
As for allowing some pages and not others, you would have to set access level for each page. Again, a plug-in would be needed.
Hope that helps. I’m sure someone will come in here and make me look like a rank amateur rather quickly with more extensive knowledge, and that’s okay. ??
EDIT:
Just thought of something on the pages.
I think, and this would have to be looked at more in-depth, but with a plug-in you might be able to restrict access to pages within a certain category. So if you have that group of pages the “Staff” are not allowed to see, you could restrict access to the categories those pages are in by their “Staff” role.
Something to look in to as it would make restrictions a lot easier than on a page by page basis.