This command will restrict the user from using aptitude for anything but updating the repository cache and performing a safe upgrade of the system.

ricardo ALL=(root) /usr/bin/aptitude update, /usr/bin/aptitude safe-upgrade

A similar command will allow the user to perform a full upgrade, but nothing more:

ricardo ALL=(root) /usr/bin/aptitude update, /usr/bin/aptitude full-upgrade

Per aptitude's documentation (10.04), safe-upgrade:

Upgrades installed packages to their most recent version. Installed
packages will not be removed unless they are unused

In contrast, full-upgrade:

Upgrades installed packages to their most recent version, removing
or installing packages as necessary. This command is less
conservative than safe-upgrade and thus more likely to perform
unwanted actions. However, it is capable of upgrading packages that
safe-upgrade cannot upgrade.

Use your best judgement for which the user should be allowed to run. If you're unsure, use the first rule, which only allows safe-upgrade.

Note that if you want to allow a user to install packages (which greatly reduces any benefit to security, but hypothetically), you need to include a * after the aptitude command, i.e.

ricardo ALL=(root) /usr/bin/aptitude update, /usr/bin/aptitude safe-upgrade, /usr/bin/aptitude install *

Otherwise, you will receive an error message that user ricardo is not allowed to run the command /usr/bin/aptitude install <package_name>.