Hi Roger,
I dont think you can do this by group unless there is a group on the CIs that you want to restrict, and the users you want to allow to see those CIs are members of that group. The reason is because you cannot cross objects in a data partition constraint, but rather you can only specify who can see the data based on an attribute of that data. For example, for a ticket, if it has a certain group on it, you can specify to only allow users who are in that ticket's group to view that ticket. But what you are trying to do is restrict view to one object (CIs) based on the user having an attribute of another object (Groups), which may or may not be tied to those CIs. So this would only work if the CIs had a group and you want to restrict it to members of that group.
Hope this helps a bit.
Jon I.