We need assistance with updating EEM policies that allow users to run jobs as root.  

How do we create a policy for as-owner that will prevent running jobs as root?

Release : 12.0

Component : WA AE/AUTOSYS RELATED EEM

Here are two different examples of locking down as-owner, restricting root.

1 - where you set just the identities you want to have access to root, and having the resource as root.* 
  and check the box "Treat resource as regular expression"
  In this example they have full access to modify or sendevents to jobs with the owner as root.
  They can create new jobs as well and set owner to root.
  The existing jobs owned by root will remain but only people in this policy would have access to modify or execute them.
  If the job is on a cycle and runs on its own that will continue.
  The scheduler does not need to pass thru as-owner.

2 - set the selected identities as All Identities
  Set the resource to root.* with check the box "Treat resource as regular expression" enabled.
  But this time add filters at the bottom
(
request:identity == value:peter
AND request:action within set value: execute,sendevent_jobexecute
)
or
request:action == sendevent_jobexecute

That allows peter to sendevents and modify jobs with owners set to root.
Everyone else can also sendevents to jobs with the owner of root but they cannot modify those job's definitions.

Note - if you want to add others to have more permissions change the equal to within set and add other ids
Something like:
(
request:identity withinset value:peter,tom

AND request:action within set value: execute,sendevent_jobexecute
)
or
request:action == sendevent_jobexecute

Here is the link that outlines the as* policy details, what their scope is, their actions/resources etc...
https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/autosys-workload-automation/12-0-01/securing/security-policy-customization/customize-security-policy-and-settings/customize-access-policy/ca-eem-resource-classes-for-ca-workload-automation-ae.html