CMS uses a simple login technique currently. Where it just sets a single session variable based on the correct username and password being entered.
You could replicate that functionality so that a different username and password would set that session variable and another one as well.
Then you can create a group rule definition in Security Assist based on that second session variable. Then you could use that rule in the security assist page redirect to restrict access to insert pages as well as in the conditional region to optionally display the buttons leading to the restricted pages as well.