What is the EEM policy configuration to limit the machines for which a user has access to send a MACH_ONLINE/MACH_OFFLINE event?

AUTOSYS WORKLOAD AUTOMATION

When a user sends a MACH_ONLINE/OFFLINE event, there are two policy checks that are done.

as-sendevent - this is just to see if the user has general access to send a MACH_ONLINE/OFFLINE event, regardless of which machine. When AutoSys sends this authorization check to EEM, the resouce is just the instance name by itself.

as-machine -  For a user to have permission to put a specific machine ONLINE/OFFLINE, they must have as-machine execute permission. The resource for as-machine is INSTANCE.MACHINE_NAME.

Give the user general access to MACH_ONLINE/OFFLINE in the as-sendevent default policy, and then use an as-machine policy to limit them to the machines for which you want to grant access.