You have two options.
1) If users are in the DEFAULT group you can update that group.
2) Create a new group using the ADD command of Security and assign the USERS to limit to that GROUP.
ADD | ngname,cgname
ngname | The name to give to the created group.
cgname | The name of the existing group you want to copy.
Which ever method that you choose to use you will need to go the the COMMANDS section and look at the ALTER field.
Help for the ALTER field states:
Whether the command is considered to be a command that can alter or update the system.
You can then change the Allow to FAIL and include M or L which will send messaging to the AUDIT log or the SYSTEM log when a User attempts to issue the command.