When a user sends a MACH_ONLINE/OFFLINE event, there are two policy checks that are done.
as-sendevent - this is just to see if the user has general access to send a MACH_ONLINE/OFFLINE event, regardless of which machine. When AutoSys sends this authorization check to EEM, the resouce is just the instance name by itself.
as-machine - For a user to have permission to put a specific machine ONLINE/OFFLINE, they must have as-machine execute permission. The resource for as-machine is INSTANCE.MACHINE_NAME.
Give the user general access to MACH_ONLINE/OFFLINE in the as-sendevent default policy, and then use an as-machine policy to limit them to the machines for which you want to grant access.