there are a number of ways to control access. su itself can use the /etc/suauth file, which contains an arbitrary list of users and rights:
# sample /etc/suauth file
# A couple of privileged usernames may
# su to root with their own password.
# Anyone else may not su to root unless in
# group wheel. This is how BSD does things.
root:ALL EXCEPT GROUP wheel:DENY
# Perhaps terry and birddog are accounts
# owned by the same person.
# Access can be arranged between them
# with no password.
this is, as i said, an arbitrary listm, and explicitly defined. what you should possibly look at first is some forms of implicit access. in /etc/pam.s/su you have the pam level access to su, and in there you should have a line like:
auth required /lib/security/pam_wheel.so use_uid
this states that in order to even begin using su, the user must be a member of the "wheel" group. so you don't manually provide them su access, you simply add them to an existing group, and things fall into place. I only ended up researching this in general as the password-less suing for wheel users stopped working, and so i ended up ignoring pam and using the NOPASS option in suauth, which feels a lot more of a cheap hack that following things through in pam.