The requirement is to keep some users from accessing the My VIP portal or the legacy VIP Self-Service Portal (SSP).  

Administrators or help-desk users manage the tokens on behalf of the users, instead of the users managing their own tokens.  Example:  Third-party contractors requiring two-factor authentication, but should not be able to manage their own tokens via the self service portals.

Group-level restrictions to the My VIP portal or SSP(Older self service portal) from VIP Manager is currently only supported in the My VIP Portal.

1. Create a User Group Policy in the VIP Manager and assign users to that group.

2. Restricting access to the My VIP can be done using a 3rd-party IDP (such as a SSO solution) for access. This gives administrators the ability to use their own Identity provider to secure access to VIP Manager, My VIP, and the Self-Service Portal in lieu of using the VIP EG IdPs.. (See: VIP Third-Party Identity Provider Configuration Guide)

3. Optional for the older SSP Portal. User groups/policies can be created in VIP Manager that control which credential types can be used by users or block all credential types. Users can then be added to that group and would need to contact their helpdesk to obtain a temp security token.