yehudaTiram there are two possible ways: with the help of IP Check & Plus Package add-ons or properly defined Access Policy & Plus Package add-on.
Note! I'm under the assumption that you need to restrict access to your custom post types (CPT) for ALL the users and visitors, except only users that belong to the Administrator role.
Option 1. With AAM UI (IP Check & Plus Package add-ons are required).
Switch to manage default access settings to all users & roles. This way your access settings are going to be propagated to everybody.
If you have both add-ons properly installed when you go to the AAM page on the Posts & Terms tab select Gear button for your CPT. This will bring the default access settings form for all your CPTs. Select REFERENCE CHECK option and in the pop-up you would need to create a rule that blocks access to all IPs where "Equals" will be a mask ... (all IPs), then select Deny for When matched, allow or deny access to the post?. After that, just create two more rules with explicitly defined whitelisted IP addresses that Allow access.
The final step is to override access settings just for the Administrator role. Simply switch to manage Administrator role and on the Post & Terms tab, for your CPT, uncheck the REFERENCE CHECK option.
Note! You can override access settings also for any individual user if necessary.
Option 1. With Access Policy (Plus Package add-on is required).
Go to the Access Policies tab and create a new policy. Then copy & past the following access policy:
{
"Version": "1.0.0",
"Dependency": {
"wordpress": ">=5.3",
"advanced-access-manager": ">=6.0.5",
"aam-plus-package": ">=5.0.3"
},
"Statement": [
{
"Effect": "deny",
"Resource": "PostType:page:posts",
"Action": [
"Read",
"List",
"Edit",
"Delete"
],
"Condition": {
"NotIn": {
"${USER.ip}": [
"0.0.0.0",
"1.1.1.1"
],
"administrator": "(*array)${USER.roles}"
}
}
}
]
}
Replace PostType:page:posts
with your CPT slug (e.g. PostType:document:posts
or PostType:houses:posts
) and IPs 0.0.0.0
, 1.1.1.1
with your desired IPs. If more IP addresses is needed, just add them as comma-separated list.
The policy above hides all CPTs and restricts access to read, edit or delete them.
The final step is to attach this policy to everybody. Switch to manage default access settings to all users & roles. Then on the Access Policies tab select the policy.
Note! While writing this post, I've noted a bug where there is no way to attach the policy to Default on "Access Policy Assignee" metabox. This is something we going to fix in the next release 6.1.0.
Hopefully, this is helpful.
Thank you,
Vasyl