Hi M;
You are correct ... the AEM (Appeon Enterprise Manager) only recognizes the "Administrator" entity and once logged in, the Admin can perform any functionality. Very similar to EAServer's Admin account when logged into the "console" or Sybase Central ... "all or nothing" basically.
FYI: I have added the AEM access considerations as an enhancement request (#2108)
Regards ... Chris