At current version of ACM the permission to access the tool is managed by Sling repoinit. This way does not allow to implement scenario:

1. deny script execution for ALL users and groups, including admins
2. allow ACM and scripts access in read-only for admins
3. allow script execution to specific group/users only