I have been working on a solution to only deploy certain users and their permissions as part of a Continuous Delivery effort.
In my experiment I follow these steps:
1. Set up comparision of SVN codebase vs empty DB.
2. Set the filters to exclude everything
3. Set filters to only include certain users (example: @name like 'dev\\%' ) and
4. Set filters to include all roles
Result: the users filtered out still appear under the roles and therefore the generated deployment script will fail due to the "missing" users.
I am also curious of what best practices or recommendations do you have for handling users when they are only supposed to be deployed to certain environments, but I think I will post that question in the RGDM forum.
A good example would be denying testers from prod access.