diff --git a/doc/source/security/kubernetes/overview-of-system-accounts.rst b/doc/source/security/kubernetes/overview-of-system-accounts.rst
index 81e97c221..39c212f29 100644
--- a/doc/source/security/kubernetes/overview-of-system-accounts.rst
+++ b/doc/source/security/kubernetes/overview-of-system-accounts.rst
@@ -53,3 +53,4 @@ For more information, refer to the following:
    starlingx-openstack-kubernetes-from-stsadmin-account-login
    kubernetes-cli-from-local-ldap-linux-account-login
    manage-local-ldap-39fe3a85a528
+   selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c
diff --git a/doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst b/doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst
new file mode 100644
index 000000000..4622144cf
--- /dev/null
+++ b/doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst
@@ -0,0 +1,111 @@
+.. _selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c:
+
+========================================================
+Selectively Disable SSH for Local OpenLDAP and WAD Users
+========================================================
+
+Local OpenLDAP and |WAD| servers are used for K8s API and |SSH| authentication.
+Thus, it is neccessary to disallow |SSH| authentication for selective users.
+
+---------------------------------
+Linux Group denyssh Configuration
+---------------------------------
+
+The Linux group ``denyssh`` is a pre-configured group to which all the |LDAP| users with
+denied |SSH| access will be added. The group is configured in the |SSHD|
+configuration file ``/etc/ssh/sshd_config`` and will be available to use after
+system deployment.
+
+Check the ``denyssh`` Linux group created at platform installation:
+
+.. code-block::
+
+    [sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
+    denyssh:x:10000
+
+----------------------------------
+Deny SSH Access for OpenLDAP Users
+----------------------------------
+
+.. rubric:: |proc|
+
+#. Create an OpenLDAP user with the :command:`ldapusersetup` command and add
+   the user to Linux group ``denyssh`` during the creation of the |LDAP| user
+   account.
+
+   Example:
+
+   .. code-block::
+
+       [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup
+       Enter username to add to LDAP: test1
+       Successfully added user test1 to LDAP
+       Successfully set password for user test1
+       Warning : password is reset, user will be asked to change password at login
+       Add test1 to sudoer list? (yes/NO): yes
+       Successfully added sudo access for user test1 to LDAP
+       Add test1 to secondary user group? (yes/NO): yes
+       Secondary group to add user to? [sys_protected]: denyssh
+       Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local
+       Enter days after which user password must be changed [90]:
+       Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
+       Updating password expiry to 90 days
+       Enter days before password is to expire that user is warned [2]:
+       Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
+       Updating password expiry to 2 days
+
+#. Verify that the new user is a member of the ``denyssh`` group.
+
+   Example:
+
+   .. code-block::
+
+       [sysadmin@controller-0 ~(keystone_admin)]$ id test1
+       uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh)
+       [sysadmin@controller-0 ~(keystone_admin)]$ groups test1
+       test1 : users denyssh
+       sysadmin@controller-0:~$ getent group|grep denyssh
+       denyssh:x:10000:test1
+
+#. Log in as user ``test1``.
+
+   The login should be denied.
+
+#. Remove the user from ``denyssh`` group.
+
+#. Attempt to :command:`ssh` as the user.
+
+   The :command:`ssh` should be successful.
+
+   Example:
+
+   .. code-block::
+
+       [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh
+       Password:
+       Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local
+       [sysadmin@controller-0 ~(keystone_admin)]$ id test1
+       uid=10005(test1) gid=100(users) groups=100(users)
+
+-----------------------------
+Deny SSH Access for WAD Users
+-----------------------------
+
+.. rubric:: |proc|
+
+#. Create a |WAD| group ``denyssh`` with the same GID as the Linux group ``denyssh``.
+
+#. Add the |WAD| user to the ``denyssh`` |WAD| group.
+
+#. Attempt to :command:`ssh` as the |WAD| user.
+
+   The login should be denied.
+
+#. Remove the user from |WAD| group ``denyssh``.
+
+   The user should be able to :command:`ssh`.
+
+
+
+
+
diff --git a/doc/source/shared/abbrevs.txt b/doc/source/shared/abbrevs.txt
index 0c9251e31..4c9667dd1 100755
--- a/doc/source/shared/abbrevs.txt
+++ b/doc/source/shared/abbrevs.txt
@@ -183,6 +183,7 @@
 .. |SSH| replace:: :abbr:`SSH (Secure Shell)`
 .. |SSL| replace:: :abbr:`SSL (Secure Socket Layer)`
 .. |SSSD| replace:: :abbr:`SSSD (System Security Services Daemon)`
+.. |SSHD| replace:: :abbr:`SSHD (Secure Shell Daemon)`
 .. |STP| replace:: :abbr:`STP (Spanning Tree Protocol)`
 .. |SWACT| replace:: :abbr:`SWACT (SWitch ACTivity)`
 .. |TAI| replace:: :abbr:`TAI (International Atomic Time)`