is it possible to limit who can login into a 'my devices' portal, within a specific identity store (not just the entire identity store), on any version of ISE

here’s the scenario:

Helpdesk needs to be able to add mac addresses of workstations that need network access but aren’t going to boot into windows. They will use a boot CD or USB stick to launch them into a GHOST type setup that will re-image them or provide network share access but not via a windows OS. let’s assume this booted OS doesn’t do 802.1x. Also this is a remote site where ALL wired ports are using 802.1x so there is no place locally to take the system for re-imaging. Therefore the workstation needs to pass MAB.

I would like to provide the helpdesk staff a customized 'My Devices' portal that will allow the helpdesk staff to log in and add the mac addresses of these workstations that need re-imaging. The portal adds the devices to a whitelist group that already has authT/authZ policies in place. that’s the easy part.

The hard part is this: can we restrict who can log into this specific my devices portal based on an AD user/security group? My gut tells me no. you can specify which identity store sequence to use for the portal but that’s as granular as it gets. i don't want to allow ALL users of this identity store to be able to log into this portal, add a MAC address and then get onto the wire with it. Only authorized users in one or two specific AD security groups.

I suppose we could try setting up a separate LDAP connector to the same AD but limit it to a specific group in the LDAP setup. This way the portal uses the entire Identity Store which is designed to only access that 1) the specific AD and 2) only users in specific groups. but i'm not sure if that's even possible. i am less experienced with the LDAP identity store options than I am with the AD or Radius setups.

Thoughts?