highlight the ability to disable users

source/customizations.rst

@@ -364,6 +364,8 @@ We recommend setting this environment variable in ``/etc/ood/config/nginx_stage.
 
 .. warning:: This allowlist is not enforced across every action a user can take in an app (including the developer views in the Dashboard). Also, it is enforced via the apps themselves, which is not as robust as using cgroups on the PUN.
 
+.. include:: customizations/disabling-users.inc
+
 .. _set-default-ssh-host:
 
 Set Default SSH Host

source/customizations/disabling-users.inc

@@ -0,0 +1,10 @@
+.. _disabling-users-guide:
+
+Disabling Users
+---------------
+
+You can use the :ref:`nginx stage configuration for disabling users <disabled_shell>`
+to disable access to specific users based on the users' default ``shell``.
+
+For example you could disable access to Open OnDemand for any user with the ``/usr/bin/false``
+default shell.

source/reference/files/nginx-stage-yml.rst

@@ -776,17 +776,26 @@ Configuration Options
 
       For RHEL6 and CentOS 6 the user id's begin at ``500``.
 
+.. _disabled_shell:
+
 .. describe:: disabled_shell (String)
 
-   restrict starting a per-user NGINX process as a user with the given shell
+   Restrict starting a per-user NGINX process as a user with the given shell.
 
-   Default
-     For OSC restrictions
+    Default
+      Do not start a per-user NGINX for anyone with ``/access/denied`` shell.
 
-     .. code-block:: yaml
+      .. code-block:: yaml
 
         disabled_shell: "/access/denied"
 
+    Example
+      Do not start a per-user NGINX for anyone with ``/usr/bin/false`` shell.
+
+      .. code-block:: yaml
+
+        disabeled_shell: "/usr/bin/false"
+
    .. note::
 
       This will only restrict access to a per-user NGINX process started with