Role-based admin: OTP "reset only" user
Allow a group that can access the XG and only be allowed to reset OTP; this will allow lower tiers the ability to reset tokens if phones are lost
There should be a OTP-admin role too, who can add, delete and reset tokens - but nothing else.
Mohammed Shahid commented
separate option for admin user profile to reset end user password only, same like disconnect live user