Disable interfaces to specific groups

As defined in ietf-netconf-acm.yang, the rules in a rule-list are processed as follows:

list rule {
  key "name";
    ordered-by user;
    description
       "One access control rule.
         Rules are processed in user-defined order until a match is
         found. A rule matches if 'module-name', 'rule-type', and
         'access-operations' match the request. If a rule
         matches, the 'action' leaf determines if access is granted
         or not.";

Continuing from the example aaa_init.xml as described in my previous posting, you should define the data access rules for a particular context before denying access to other contexts.