Admin role settings

Hi, I want to set up a rule for admin’s access to the zscaler portal.
how can i make it so that certain admins can only be able to view the one time passwords for each device on the Zscaler App Portal??
(along with that i want those admins to be able to ONLY view logs, edit pac files for their region, and also be able to send tickets to the Zscaler help. anything other than that, i want to restrict)

@dcreedy might be able to answer this one.