then I'd define another permission like

read_not_admin

and LR over that