Deny Active Directory user


Right now we have configured opensearch to connect to LDAP for authentication.
Only users belong to a particular role -“f-bld-00” are allowed to have all_access
Other users are configured with custom read-only role in roles.yml and they are able to login but cannot modify/save data.

so far all good.

Now we need to deny other users who do not belong to “f-bld-00” role. Is it possible to define custom role again called deny-login in Roles.yml and corresponding entry in roles_mapping.yml?
what should be entries / permissions for a deny role?

Any suggestions from anyone regarding the same?