Hi Colin
A ruleset is a container of risks and risks contains functions. Actions (transactions) and Permissions (authorisations) are define the function.
You need to either maintain an existing function and add your Z Permission Group to it or you need to create a new function with the Z Permission Group and then assign it to a risk (or create a new risk). After that you need to generate the ruleset to obtain the changes.
In terms of what to do, are you trying to say if a user has any of the custom objects then you want it to flag as a risk? If you so you need to build a function and add those permission groups in and then create a critical permission risk that you add the function to. You assign it to the ruleset when you define the risk. At the end you generate the risk.
There have been a few questions regarding critical actions/permissions and how to add a permission group without an associated action. Have a look at SCN and sap marketplace from some KB articles.
e.g GRC Function - Action maintenance
GRC300 is the course for Access Controls and it not Basis only. Perhaps your colleague attended GRC100 as it is the overview of the component and explains integration with Access Controls, Process Controls and Risk Management.
Good luck with it
Regards
Colleen