that depends on if you want to redirect users away the you should use init hook since no output or headers are sent before that hook. or if you want to display a nice “You Don’t have the right permissions to access this page” message then you can use the wp_head action hook:
//display meassage
add_action('admin_head','my_restrict_access');
function my_restrict_access_meassage(){
global $pagenow;
if ($pagenow == 'upload.php' && !current_user_can( 'upload_files' )){
echo '<div class="wrap"><br />
<div id="message" class="error">You Dont have the right permissions to access this page</div>
</div>';
exit();
}
}
//or redirect
add_action('init','my_restrict_redirect');
function my_restrict_redirect(){
global $pagenow;
if (!is_admin())
return '';
if ($pagenow == 'upload.php' && !current_user_can( 'upload_files' )){
wp_redirect( home_url() );
die();
}
}