The fine tune access you want is unfortunately not possible with Glu out of the box. You can restrict to Read-Only with USER (I double checked a minute ago), but not limit users to specific fabrics.
What I do is have 2 consoles. One for Dev/QA, the other for production. In the first one, everyone has RELEASE privileges, in the other one a short list of people have RELEASE privileges.
We also front Glu deployments with Jenkins which has a much finer access control. We have Jenkins jobs that allows to deploy/redeploy or simply load a new model. Each job can have per user restrictions which makes this work well for us.
Now that Glu 5.3.x includes the fabric name as part of the url it might be possible for you to front Glu with nginx and have it do access control based on username and url, though this would probably be somewhat clunky.