# Deny user access with Service Control Policies
Deny user access

To immediately deny access to make authorized API calls when an IAM Identity Center user's access is disabled or the user is deleted, you can:

1. [Add or update](howtoviewandchangepermissionset.md) the [inline policy](permissionsetcustom.md#permissionsetsinlineconcept) of the permission set(s) assigned to the user by adding an explicit `Deny` effect for all actions on all resources.

1. Specify the `aws:userid` or `identitystore:userid` condition key.

Alternatively, you can use a [Service Control Policy](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_policies_scps.html) to deny the user's access across all member accounts in your organization.

**Example SCP to deny access**  
This denial policy blocks all Amazon actions for a specific user, regardless of other permissions they might have been granted elsewhere. This policy overrides any `Allow` policies.    
****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement" : [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                 "StringLike": {
                    "aws:UserId": "*:deleteduser@domain.com"
                }
            }
        }
    ]
}
```  
****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement" : [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                 "StringEquals": {
                    "identitystore:UserId": "DELETEDUSER_ID"
                }
            }
        }
    ]
}
```