Hi Mark,
From the subject line it sound like you are trying to restrict an unrestricted user - is this correct? If a user needs to be restricted in the scope of their application capabilities (e.g. access to SAS Management Console plug-ins) or metadata object permissions then they need to be restricted users. Unrestricted users (being direct or indirect members of the Metadata Server: Unrestricted role, or having their user id, prefixed with an *, in the adminUsers.txt file), as the name suggests, are unrestricted. It doesn't matter what you have done with role/capability assignments or metadata permissions in access controls, unrestricted users always have all capabilities in all applications and all permissions on all objects.
If you want to limit the scope of this user's access to SAS Management Console plug-ins or permissions on servers, then you will need to first convert them to a restricted user (by removing their unrestricted access) before looking at roles/capabilities and permissions.
In deciding on server permissions, refer to the SAS(R) 9.3 Intelligence Platform: Security Administration Guide book, Permissions by Object Type page, and the Permission Tips for Selected System and Administrative Objects section:
To monitor or operate servers other than the metadata server, you need the Administer permission on the server. (The metadata server requires the Metadata Server: Operation role instead of the Administer permission.)
To associate a stored process, OLAP schema, or library with an application server, you need WriteMetadata permission for that application server. Certain service identities need ReadMetadata permission to all server definitions. See Permissions on Servers.
Essentially be aware that an effective +WM is required to be able to associate other objects (stored processes, libraries etc) with a application server and an effective +WM also means they can delete the server. If you need them to have +WM to associate objects but also want to limit (somewhat) the ability of that person to delete the server then you may consider removing the capability for that person to get access by hiding Server Manager (if they are skilled enough they could potentially use metadata APIs to still delete the server - unlikely but not sure if you need/want to consider that).
For more information on setting server permissions see Protect Server Definitions.
Cheers
Paul