It's probably easiest to just restrict Write permissions on the 'Caller' field on the incident form (or whatever field you're using the macro on). You can test on the /demo instance. It restricts write permissions on the 'incident.caller_id' object to the 'itil' role using system security. The icon doesn't show up if the user doesn't have write permissions.

If that doesn't work for you for whatever reason, then you'll have to modify the UI macro itself. That means that you won't get upgrades to that UI macro record in the future. If you choose to go that route then this UI macro script should do what you want.

<?xml version="1.0" encoding="utf-8" ?>
<j:jelly trim="false" xmlns:j="jelly:core" xmlns:g="glide" xmlns:j2="null" xmlns:g2="null">
<j:if test="${gs.hasRole('itil')}">
<g:evaluate var="jvar_guid" expression="Packages.com.glide.util.Guid.generate(this);" />
<j:set var="jvar_n" value="show_incidents_${jvar_guid}:${ref}"/>
<g:reference_decoration id="${jvar_n}" field="${ref}"
  onclick="showRelatedList('${ref}'); "
  title="${gs.getMessage('Show related incidents')}" image="images/icons/tasks.gifx"/>

<script>
// show related list
// todo: should be part of the PopupWindow class
// todo: needs new stack name
function showRelatedList(reference) {
  var s = reference.split('.');
  var tableName = s[0];
  var referenceField = s[1];
  var url =  tableName + '_list.do?';
  url += '&amp;';
  var v = g_form.getValue(referenceField);
  url += 'sysparm_query=' + referenceField + '=' + v;

  var w = getTopWindow();
  w.popupOpenFocus(url, 'related_list',  950, 700, '', false, false);
}

</script>
</j:if>
</j:jelly>