Trying to restrict deployment to only 1 group

Hi all, I am trying to restrict the ability to deploy to our live environment to only 1 group (devops if that is a factor) .

I have created the group and it only has 1 user in it (freddie atm) but despite removing all environment permissions and just setting devops as the group that can deploy, everyone else in our team still has the ability to deploy too, they need need to be able to work with the master branch but should not be allowed to deploy, I am guessing there is something else up the permission chain that needs removing however I cannot see anything that restricts deployment, also what does restricted admin actually restrict. 

What are the default permissions as the user I created  in devops only has that as his group but still sees all the deployment environments and that seems odd as devops is only assigned to one environment.

Cheers