Hey Scott,
Yes this is possible. We've set up a few sample User Roles in the Administration -> Security -> User Roles section. If you look at the 3 F5 User Roles, the Big3d Administrator role will be particularly interesting to you. If you look under tasks, it shows the "Authorized for Big3d Update" Task. This task is run when discovery is initiated, which means any user running discovery that does not have access to this Task will not be able to update Big3d. Also, even SCOM Admins still require an admin user name and password for the BigIP in order to perform any major configuration changes to the device (including Big3d). On that note, any credentials entered for the BigIP are cached against the AD user running the task, so if you are the only one with the keys to the castle, it will stay that way as long as no one can log in under your user account.
On another note, if you wish to upgrade the Big3d manually, instructions are listed here on how to do that:
Click Here. After that, just make sure the user doesn't have access to the "Authorized for Big3d Update" task and you are set. Let us know if you have any other concerns with this.
Thanks,
Dave
Nimbostratus