I agree, the resource OPSAOF does not have the granularity that I need. I do have the user set up with the appropriate access levels in the Dataset profile for each of the rule sets. It does restrict the user from saving any changes to the rule but it does not prevent them from using the UPDATE commands for the OPSAOF resource because the commands don't rely on the data set profile, they are bound to the OP$MVS.OPSAOF.
I was able to set up PLAN B which was to code up a security rule which handled the extra level of security I needed but I would really prefer a method that was centered on RACF instead of relying on Security Rules. I originally set it up to use a separate resource but as I pondered your response, Cesar, I realized I could just use the data set access to do the same thing so that is what I did. So right now I have a security rule monitoring AOF events and checking the data set access based on the command issued.