I would restrict them to a single user I wouldn't leave them to run su - to any user unless you want to give away root.
You should do something like this:
Code:
%appgroup ALL=(appuser) NOPASSWD: ALL
they then can run
Code:
sudo -u appuser /some/command