Hi Santiago,
For the first requirement you can cover it through configs , thats for sure. Since you need an admin to be able to access it even in the forbidden case , you will need an enhancement in this scenario.
Please see , that you can use the BADI : CRM_ORDER_AUTH_CHECK . This can perfectly help you solve your problem
/Hasan