thanks for all your replies.
I managed to solve it in the end.
I found out that when you type su -
it calls su.original.
I have set up an alias
alias patrol=sudo -u patrol -i
and added this to the sudoers file.
PATROL ALL=NOPASSWD: !/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - patrol, /bin/su - patrol, /bin/su.original - patrol
PATROL ALL=(patrol) NOPASSWD: ALL
this has solved the problem.
Users defined in the PATROL user alias can now su - patrol without a password, but are denied ROOT access.
Patrol is also denied root access.
Hope this helps someone else