I wrote an article related to what you are asking:
The article describes how you can use rulesets to filter based on groups, and what to do if a user is not in the groups you are filtering on.
m.bagheryan, seems to be employing a version of what is described in the article I wrote
It was a perfect article but I just read it 5min ago and rate it as 5 star.
I believe you and Andre in Web Gateway and your Articles are amazing as it use to be.
I could not follow it properly especially the user defined property.
But i was able to do it with , "if Authentication.Usergroup contains<group name> ans URL filtering categoriy is <Category> then Stop rule set"
I did this for all three group and added a deny all rule at the bottom of the rule set.
Is it possible for you to explain how user defined would work.
Is there any way to contact you
can you share the screenshot and also if it is possible the rules you made?