Well, the application is already existing. For few reasons, one or more rulesets are needed to be accessed by few developers only. We can secure the ruleset by setting a password which would be equivalent. But, my seniors seek something which can deny the access of a particular Operator to an existing ruleset.
No. You would need to make a new rule-application that omits ruleset X. Refer the new access group to the rule-application. Make sure the rule-application refers to only a chain of other rule-applications that do not have ruleset X.
Then the operator will not have access to ruleset X.
To keep things re-usable, you can have a rule-app with just X in it that refers to all the other rule-apps. The restricted operator's access group would refer only to those other rule-apps while the non-restricted operator's access group would refer to rule-app with just X in it (which, as mentioned, refers to all the other rule-apps).