I don't think there's another way than the two ways you've already described.
IMO, moving the admin tool to a separate domain (and server!) would be the best option here in terms of security. That way, there are clear boundaries and fewer attack vectors and you also don't need to do as much bookkeeping.
IMO, moving the admin tool to a separate domain (and server!) would be the best option here in terms of security. That way, there are clear boundaries and fewer attack vectors and you also don't need to do as much bookkeeping.