Hi @jrgong
This is not difficult to do via a plugin, as you probably know well.
Basically, you could create a list of staff (by email, username, etc) as a global setting, similar to how Discourse defines developers by email address.
Then, you could use that GlobalSettting in some patches to permit the two use cases are you are interested in.
The first of your use cases: customize themes as staff, is relatively straight forward to core monkey patch, I think.
The second use case of yours, with not much work, you could fork this plugin and redesign the route access constraint in this plugin (and any other required changes):
https://github.com/discourse/discourse-adplugin/blob/master/plugin.rb#L73
Because the constraint for the ads plugin is built into the plugin, it’s a good idea to actually change that code to permit your “permitted” staff to access the parts of that plugin you wish to permit, based on your own RBAC.
In other words, both of the requirements you want are both doable, if you are willing to write the code; or of course you can ask one of the skillful Discourse plugin dev pros to help you in #marketplace