Hi Arshad,
I guess it should be defined in the radius server which you use for different set of users. Which radius server you are using... is it a cisco ACS or some third party. For every user there is a setting to define the privelege level. You can fine tune tune there for the groups you have.
If it is cisco ACS. Then you can have two different groups created based on the privileage levels and get them restricted. If it is a third party then you have to check with that particular platform setting.
Please do rate if the given information helps.
By
Karthik