diff --git a/doc/source/security/kubernetes/add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1.rst b/doc/source/security/kubernetes/add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1.rst
index d1a843598..cea716947 100644
--- a/doc/source/security/kubernetes/add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1.rst
+++ b/doc/source/security/kubernetes/add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1.rst
@@ -8,9 +8,10 @@ Add LDAP Users to Linux Groups Using PAM Configuration
 ======================================================
 
 The Linux pam_group module enables binding/mapping of |LDAP| users/groups to a
-specified list of one or more Linux groups. The mapping will occur after the
-|SSSD| service has discovered the |LDAP| users and groups and cached them on the
-host.
+specified list of one or more Linux groups. The mapping allows Linux
+capabilities (via the Linux groups) to be assigned to the |LDAP| users/groups.
+The mapping will occur after the |SSSD| service has discovered the |LDAP| users
+and groups and cached them on the host.
 
 The mapping between the discovered |LDAP| users and their group membership to the
 local Linux groups works for all Linux groups, including system groups, such as
@@ -18,8 +19,9 @@ local Linux groups works for all Linux groups, including system groups, such as
 
 .. note::
 
-    The procedure described in this section applies to all the |LDAP| users, both local
-    OpenLDAP and |LDAP| users in the remote Windows Active Directory servers.
+    The procedure described in this section applies to all the |LDAP| users,
+    both Local |LDAP| and |LDAP| users in the remote Windows Active Directory
+    servers.
 
 .. rubric:: |proc|
 
@@ -89,11 +91,15 @@ privileges:
     [pvtest1@wad.mydomain.com@controller-0 ~(keystone_admin)]$ groups
     eng@wad.mydomain.com root sudo sys_protected pvtest@wad.mydomain.com
 
-Local OpenLDAP user example:
+Local |LDAP| user example:
 
-Add the line ``;%managers;Al0000-2400;sys_protected,root,sudo`` in
-``/etc/security/group.conf`` to map users of the local OpenLDAP group
-``managers`` to linux groups: ``sys_protected``, ``root`` and ``sudo``.
+Add the following line in ``/etc/security/group.conf`` to map users of the
+Local |LDAP| group ``managers`` to linux groups: ``sys_protected``, ``root``
+and ``sudo``.
+
+.. code-block::
+
+    *;*;%managers;Al0000-2400;sys_protected,root,sudo
 
 Log in with user ``johndole`` from ``managers`` group and check the user's
 group memberships and privileges.
diff --git a/doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst b/doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst
index 361223cd0..cc3fa36f1 100644
--- a/doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst
+++ b/doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst
@@ -1,35 +1,23 @@
 .. _selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c:
 
-========================================================
-Selectively Disable SSH for Local OpenLDAP and WAD Users
-========================================================
+====================================================
+Selectively Disable SSH for Local LDAP and WAD Users
+====================================================
 
-Local OpenLDAP and |WAD| servers are used for K8s API and |SSH| authentication.
-Thus, it is necessary to disallow |SSH| authentication for selective users.
+Local LDAP and |WAD| servers are used for K8s API and |SSH| authentication.
+In some cases, it may be necessary to disallow |SSH| authentication for selective users or a
+group of users.
 
----------------------------------
-Linux Group denyssh Configuration
----------------------------------
+The Linux group ``denyssh`` is a system created group which is preconfigured in
+the |SSHD| configuration such that any member of this group is denied |SSH| access.
 
-The Linux group ``denyssh`` is a pre-configured group to which all the |LDAP| users with
-denied |SSH| access will be added. The group is configured in the |SSHD|
-configuration file ``/etc/ssh/sshd_config`` and will be available to use after
-system deployment.
-
-Check the ``denyssh`` Linux group created at platform installation:
-
-.. code-block::
-
-    [sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
-    denyssh:x:10000
-
-----------------------------------
-Deny SSH Access for OpenLDAP Users
-----------------------------------
+--------------------------------
+Deny SSH Access Local LDAP Users
+--------------------------------
 
 .. rubric:: |proc|
 
-#. Create an OpenLDAP user with the :command:`ldapusersetup` command and add
+#. Create a local |LDAP| user with the :command:`ldapusersetup` command and add
    the user to Linux group ``denyssh`` during the creation of the |LDAP| user
    account.
 
@@ -67,16 +55,12 @@ Deny SSH Access for OpenLDAP Users
        sysadmin@controller-0:~$ getent group|grep denyssh
        denyssh:x:10000:test1
 
-#. Log in as user ``test1``.
+#. Ssh as user ``test1``.
 
-   The login should be denied.
+   The ssh should be denied.
 
 #. Remove the user from ``denyssh`` group.
 
-#. Attempt to :command:`ssh` as the user.
-
-   The :command:`ssh` should be successful.
-
    Example:
 
    .. code-block::
@@ -87,25 +71,48 @@ Deny SSH Access for OpenLDAP Users
        [sysadmin@controller-0 ~(keystone_admin)]$ id test1
        uid=10005(test1) gid=100(users) groups=100(users)
 
+#. Ssh as user ``test1``.
+
+   The ssh should be allowed.
+
 -----------------------------
 Deny SSH Access for WAD Users
 -----------------------------
 
 .. rubric:: |proc|
 
-#. Create a |WAD| group ``denyssh`` with the same GID as the Linux group ``denyssh``.
+#. Create a |WAD| group or use an existing |WAD| group for the users that
+   should not have access to the platform.
 
-#. Add the |WAD| user to the ``denyssh`` |WAD| group.
+   .. note::
 
-#. Attempt to :command:`ssh` as the |WAD| user.
+       The |WAD| group used should have a name other than ``denyssh``.
 
-   The login should be denied.
-
-#. Remove the user from |WAD| group ``denyssh``.
-
-   The user should be able to :command:`ssh`.
+#. Add the |WAD| user to the |WAD| group.
 
+   .. note::
 
+       The |WAD| user you want to deny access to should not be a member of a
+       |WAD| group that has allowed access. The allowed user groups are
+       configured with the |SSSD| parameter ``ldap_access_filter``. Giving and
+       denying access to the user at the same time leads to inconsistent
+       authentication results.
+
+#. Map the |WAD| group to the existing Linux group ``denyssh`` following the |PAM|
+   group configuration described in :ref:`add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1`.
+
+   Example: Add the following line in ``/etc/security/group.conf`` to map the
+   |WAD| group to the ``denysssh`` Linux group.
+
+   ``*;*;%disallowed_users@wad.mydomain.com;Al0000-2400;denyssh``
+
+#. Attempt to ssh as the |WAD| user.
+
+   The ssh should be denied.
+
+#. Remove the user from the |WAD| group.
+
+   The user should be able to ssh.