You probably cant do it thought ACL because the ccmadin and the ccmuser pages use the same ports. Even if you changed the port, they still both use the same ports.
You should really use the Application user account security built into CUCM. Turn on account login failures and you will know if someone is trying to log into the CUCM pages that does not have access. Usually reports the IP address and usernames tried. (RTMT)