first you need to find where su is.
you can see the path with using below.
which su
if you want to allow that only user included in root group turn to root,
you need to change access mode using 'chmod'
chmod 4750 <location of su>
now only root group can turn to root.