Using Allow and Deny Rules for Access Control
You can control access to the server based on the client user name, the user's group membership, or the computer from which the user connects. For each of these categories, you can allow or deny access, or use a combination of allow and deny. You can specify rules for specific users, groups, or hosts, or use regular expressions to match multiple users, groups, or hosts with a single entry. Name matching is not case-sensitive.
The server first checks to see if access is allowed from the client host computer. If the client host is allowed, the server then checks both user and group rules to see if the client user is allowed access. For both host-based and group/user-based access control, the server uses the following logic to determine whether to allow a connection.
For the examples below, users are attempting to connect to a server with the following access control configuration. (No client host access items are configured.)
Group access settings:
User access settings:
Sample access with the configuration above: