diff --git a/roles/sssd/templates/sssd.conf.j2 b/roles/sssd/templates/sssd.conf.j2
index 6aed734..38e7cf8 100644
--- a/roles/sssd/templates/sssd.conf.j2
+++ b/roles/sssd/templates/sssd.conf.j2
@@ -28,3 +28,8 @@ ldap_tls_key = {{ tls_private }}/{{ inventory_hostname }}.key
 
 auth_provider = krb5
 krb5_realm = {{ kerberos_realm }}
+{% if sssd_allow_groups is defined %}
+
+access_provider = simple
+simple_allow_groups = {{ sssd_allow_groups | join(',') }}
+{% endif %}