Cisco AAA/Identity/Nac :: Can Add / Modify ACS 5.2 CLI User Roles


My company's security group uses Tripwire to monitor for changes in start-config and running-config on network devices in PCI scope.  We are migrating from ACS v4.2 to v5.2.  I need to create the account for Tripwire on the ACS Appliance but did not want to assign the admin role which would give access to configure terminal.  The user role does not have privileges for show start-config or show running-config.  Am I missing something or are these the only 2 roles available at the CLI?  Can another rolle be added?