Currently, we have the following rule-list configured in NSO working as per requirement. 

nacm rule-list service-profile-2
group [ nso-hu ]
rule node-offload
module-name nodeoffload
path /services/nodeoffload
access-operations create,read,update,delete
action permit
context *
!
rule tailf-aaa-user
module-name tailf-aaa
path /user[name='$USER']
access-operations create,read,update,delete
action permit
!
rule tailf-webui-user
module-name tailf-webui
path /webui/data-stores/user-profile[username='$USER']
access-operations create,read,update,delete
action permit
!
rule tailf-aaa-alluser
module-name tailf-aaa
path /user
action deny
!
rule tailf-aaa-aaa
module-name tailf-aaa
path /aaa
action deny
!
rule nacm
module-name ietf-netconf-acm
path /
action deny
!
rule l2vpn
module-name l2vpn
path /services/l2vpn
access-operations create,read,update,delete
action permit
context *
!
rule hu-devices
module-name devices
path /devices/device-group[name='vrp']
access-operations read
action deny
context *
!
rule read-only
path /
access-operations read
action permit
!
cmdrule c-logout
command logout
action deny
!
cmdrule j-logout
command "request system logout"
action deny
!
cmdrule any-command
action permit
!
!

We want to add a restriction in this rule-list based on devices groups. i.e. device belonging to group "vrp" should be accessible to the user(mapping to above rule). In other words, the user should be able to deploy services on "vrp"  group devices only. 

admin@nso-msl-01# show devices device-group vrp
devices device-group vrp
member [ EdgeX16-Abha-701-1 EdgeX16-Baha-712-1 EdgeX16-Kham-702-1 EdgeX16-Naj-708-1 EdgeX16-Sab-705-1 EdgeX16A-Kham-702-1 HRTPE1-Mak-105-1 HRTPE1-Mak-105-2 HRTPE1-Mak-203-1 HRTPE1-Mak-203-2 HRTPE1-Manf-104-1 HRTPE1-Manf-104-2 HRTPE1-Nad-129-1 HRTPE1-Nad-129-2 HRTPE1-Naf-116-42-1 HRTPE1-Naf-116-42-2 HRTPE1-Naj-708-1 HRTPE1-Naj-708-2 HRTPE1-Nas-114-1 HRTPE1-Nas-114-2 HRTPE1-Shim-103-1 HRTPE1-Shim-103-2 HRTPE1-Sho-118-1 HRTPE1-Sho-118-2 ]