diff --git a/README.md b/README.md
index 642855a..3a1d8b7 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,9 @@ though generally include things such as the following.
 * `/etc/security/limits.conf`
 * `/etc/security/limits.d`
 
+The management of `/etc/security/access.conf` can be controlled by the
+`pam::manage_accesslogin` parameter (enabled by default).
+
 ### Setup requirements
 This module requires `stdlib`. When deployed by default it will require
 `nsswitch`. See below for more information.
diff --git a/manifests/init.pp b/manifests/init.pp
index 47f1420..c1536c8 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -8,6 +8,11 @@
 #   origins in access.conf. The default allows the root user/group from origin
 #   'ALL'.
 #
+# @param manage_accesslogin
+#   Boolean to manage the inclusion of the pam::accesslogin class.
+#   Can be useful if /etc/security/access.conf is managed externally.
+#   Defaults to true.
+#
 # @param login_pam_access
 #   Control module to be used for pam_access.so for login. Valid values are
 #   'required', 'requisite', 'sufficient', 'optional' and 'absent'.
@@ -188,6 +193,7 @@
 #
 class pam (
   Variant[Array, Hash, String] $allowed_users               = 'root',
+  Boolean $manage_accesslogin                               = true,
   Enum['absent', 'optional', 'required', 'requisite', 'sufficient']
   $login_pam_access                                       = 'required',
   Enum['absent', 'optional', 'required', 'requisite', 'sufficient']
@@ -277,7 +283,9 @@
   }
 
   if ($facts['os']['family'] in ['RedHat','Suse','Debian']) {
-    include pam::accesslogin
+    if $manage_accesslogin {
+      include pam::accesslogin
+    }
     include pam::limits
 
     package { $package_name:
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index 40591fa..d1e11ea 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -261,6 +261,12 @@
           it { is_expected.not_to contain_class('nsswitch') }
         end
 
+        context 'with manage_accesslogin parameter set to false' do
+          let(:params) { { manage_accesslogin: false } }
+
+          it { is_expected.not_to contain_class('pam::accesslogin') }
+        end
+
         [true, false].each do |value|
           context "with limits_fragments_hiera_merge parameter specified as a valid value: #{value}" do
             let(:params) { { limits_fragments_hiera_merge: value } }