customizing remote alias

We have Deployer 651 that we are trying to use. However, it uses Admisnitrator ACL to perform all its functions (documentation says “Internal” which is incorrect).

We have a few users which we do NOT want to give access to deploy to say, PRD instance (yes to QA, testing instances…). How can we restrict part of the remote alias list from showing (or may be grey out) for those users?

I know this would require some custom code - however I am just curious what approach would you guys think of ?