Currently , it is possible to define a ACL (user and groups) for a service. To temporarily remove authorization for a set of users, administrator needs to remove the users from the specific group and this may be a lengthy process ( update ldap groups, flush caches on machines).
If there is a facility to define a reverse ACL for services, then administrator can disable users by specifying the users in reverse ACL. In other words, one can specify a whitelist of users and groups as well as a blacklist of users and groups.
One can also specify a default blacklist to disable the users from accessing any service.