The requirement is to keep some users from accessing the My VIP portal or the legacy VIP Self-Service Portal (SSP).  Administrators or help-desk users manage the tokens for the users instead of the users managing their own tokens.  An example would be third-party contractors requiring two-factor authentication but should not be able to manage their own tokens.

Group-level restrictions to the My VIP from VIP Manager is currently not a supported feature. However, user groups can be created in VIP Manager where adding certain credential types can be controlled in the group policy. Users can then be added to that group and would need to contact their helpdesk to obtain a temp security token. The user would still be able to login to My VIP, but would be unable to add a credential.

Restricting access to the My VIP can be done using a 3rd-party IDP (such as a SSO solution) for access. This gives administrators the ability to use their own Identity provider to secure access to VIP Manager, My VIP, and the Self-Service Portal in lieu of using the VIP EG IdPs.. (See: VIP Third-Party Identity Provider Configuration Guide)