1) In your login() action impelement a check for the user role, if the role is admin redirect to whatever controller/action and set the admin prefix. If hes not an admin redirect him to something else.
if ($this->Auth->login()) {
if ($this->Auth->user('role') === 'admin') {
$this->redirect(array(
'admin' => true,
'controller' => 'foo',
'action' => 'bar')));
} else {
// Do something else, another redirect or whatever
}
}
There is no need to remove the /admin from the URL as it should show the user hes not authorized when he tries to access an URL he is not allowed to.
2) If you want to grant access for different roles you can use the SimpleRbacAuth I've written. Check the tests for examples of how it works. You simply define a nested array structure and add the roles you want to an action or a whole controller or grant access to everyone by using *.