Is there a method to restrict the scope of remote execution users?

I can create a user.
I can create a role.
I can assign a role to a user or group.

If the role is designed as a "remote execution user" (which includes the filter create_template_invocations or create_job_invocations - not sure which it is, off the cuff, but that's not important):

Is there a way to limit the scope of what Job Templates are available to the user (or group) for execution?

I have Templates which are designed for the administrators to manage servers, but I now want to define a group who are only interested in inquiring about certain sets of server status. These users will not make changes to any servers managed by Satellite. But they may want to learn what packages are installed, or what the configuration of chrony.conf includes... for example.

Essentially, I want users with Administrative priv's, and users with Limited priv's.

Thanks.