diff --git a/source/customizations.rst b/source/customizations.rst
index 1f1d81e3b..498fd7da0 100644
--- a/source/customizations.rst
+++ b/source/customizations.rst
@@ -362,6 +362,8 @@ We recommend setting this environment variable in ``/etc/ood/config/nginx_stage.
 
 .. warning:: This allowlist is not enforced across every action a user can take in an app (including the developer views in the Dashboard). Also, it is enforced via the apps themselves, which is not as robust as using cgroups on the PUN.
 
+.. include:: customizations/disabling-users.inc
+
 .. _set-default-ssh-host:
 
 Set Default SSH Host
diff --git a/source/customizations/disabling-users.inc b/source/customizations/disabling-users.inc
new file mode 100644
index 000000000..e26617b39
--- /dev/null
+++ b/source/customizations/disabling-users.inc
@@ -0,0 +1,10 @@
+.. _disabling-users-guide:
+
+Disabling Users
+---------------
+
+You can use the :ref:`nginx stage configuration for disabling users <disabled_shell>`
+to disable access to specific users based on the users' default ``shell``.
+
+For example you could disable access to Open OnDemand for any user with the ``/usr/bin/false``
+default shell.
diff --git a/source/reference/files/nginx-stage-yml.rst b/source/reference/files/nginx-stage-yml.rst
index 0729eddbc..985a9d131 100644
--- a/source/reference/files/nginx-stage-yml.rst
+++ b/source/reference/files/nginx-stage-yml.rst
@@ -776,17 +776,26 @@ Configuration Options
 
       For RHEL6 and CentOS 6 the user id's begin at ``500``.
 
+.. _disabled_shell:
+
 .. describe:: disabled_shell (String)
 
-   restrict starting a per-user NGINX process as a user with the given shell
+   Restrict starting a per-user NGINX process as a user with the given shell.
 
-   Default
-     For OSC restrictions
+    Default
+      Do not start a per-user NGINX for anyone with ``/access/denied`` shell.
 
-     .. code-block:: yaml
+      .. code-block:: yaml
 
         disabled_shell: "/access/denied"
 
+    Example
+      Do not start a per-user NGINX for anyone with ``/usr/bin/false`` shell.
+
+      .. code-block:: yaml
+
+        disabeled_shell: "/usr/bin/false"
+
    .. note::
 
       This will only restrict access to a per-user NGINX process started with