Restricting su command in a specific manner

Question

I have a list of system users who have access to almost everything via sudo. Now I would like to restrict their sudo access for command su.

I would like to restrict su command for every user on system and allow every system user to be able to su to a specific user (in this case it is tomcat):

#user_name should be able to do *sudo su tomcat* but not *sudo su another_user*
user_name ALL=/bin/, !/bin/su, /bin/su tomcat

I tried different combination for this but unfortunately couldn't make it work.

Here is my complete /etc/sudoers file:

Defaults   !visiblepw
Defaults    always_set_home

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root    ALL=(ALL)   ALL

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

The /etc/sudoers.d/ has another file which contains the following:

meraj ALL=(ALL) NOPASSWD:ALL
siraj ALL=(ALL) NOPASSWD:ALL

# Members of the group 'sysadmin' may gain root privileges
%sysadmin ALL=(ALL) NOPASSWD:ALL

Update 2: When I do sudo -l from user meraj, I get this:

Matching Defaults entries for meraj on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
    LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User meraj may run the following commands on this host:
    (ALL) NOPASSWD: ALL
    (root) ALL, (root) !/bin/su
    (root) /bin/su tomcat

When I do sudo /bin/su tomcat or sudo /bin/su siraj then it asks me the password:

[sudo] password for meraj:

Answer 1

username       ALL=(root)      /bin/su tomcat

works for me. If it doesn't work for you, it may be because of another entry in the sudoers file, that permits a much wider range of commands, possibly unrestricted access to /bin/su - we'd need to see the whole of your sudoers file, unredacted, as well as detailed cut-and-paste of the failures, to be able to comment on that.

Edit: you have clarified that you are elsewhere granting the users permissions to do everything. I found that explicitly removing sudo privileges to do su, with eg

username       ALL=(root)      ALL, !/bin/su

before giving them back just for tomcat with the line I quote at the beginning of my answer, worked. If this doesn't work for you, could you show us the output of sudo -l for such a user, plus the outputs of sudo /bin/su tomcat and sudo /bin/su userC (where userC is a third user)?