?
Hi Andrew,
You'd probably want to use Active Directory groups of some sort... but you could either add explicit privileges or add deny privileges to the groups you don't want to go to prod.
Just keep in mind, however, that deny takes precedent over a grant in the same scope. IOW, if you say "X can deploy to A" then "X cannot deploy to A", then X will not be able to deploy to A.
Steve