The users of CA-TDM want to use RI Manager to define rules for extracting/masking Production data. 

So how to ensure they will not be allowed to do anything other than this (i.e. not be able to define any actual RI within Db2). 

Is it actually possible to restrict the use of RI Manager to just the ability to define rules "outside of Db2" for when extracting/masking data only.

Release : 20.0

Component : CA RI Manager for DB2 for z/OS

The duties cannot be separated  

If you don't have the underlying auth to create System Defined RI (ALTER TABLE AUTH) 
you can only create User Defined RI.

If you have EXECUTE auth, you will be able to create RCX strategies - 
but if you don't have SELECT AUTH you won't be able to extract data.