At this time the as-machine policy can be used to grant/deny access to AE machine names, not the underlying node_name references.
Example: Create an as-machine explicit deny policy where the resource is ACE.wil* With that in place users will be denied if they try to insert a new machine that started with "wil". But users can insert a machine definition with a name of "fake" and set the node_name to "wil". With the explicit deny in place users would also be restricted from performing "autorep -q -J wil" or issuing sendevent -E STARTJOB -J job1 where job1 is defined to run on machine "wil". Users would also not be able to take the machine on or offline via sendevent -E MACH_ONLINE -n wil sendevent -E MACH_OFFINE -n wil
If users want the node_name to be added as a security check within Workload Automation AE please post the "idea" on communities.ca.com. AE clients can vote the idea up or down. Product mgmt reviews the ideas to help determine the future directions/features of the product.