diff --git a/modules/administration-guide/nav.adoc b/modules/administration-guide/nav.adoc
index 3ace172f32..a7e5621425 100644
--- a/modules/administration-guide/nav.adoc
+++ b/modules/administration-guide/nav.adoc
@@ -74,6 +74,7 @@
 **** xref:configuring-oauth-1-for-a-bitbucket-server.adoc[]
 **** xref:configuring-oauth-2-for-microsoft-azure-devops-services.adoc[]
 *** xref:configuring-cluster-roles-for-users.adoc[]
+*** xref:configuring-advanced-authorization.adoc[]
 *** xref:removing-user-data-in-compliance-with-the-gdpr.adoc[]
 * xref:managing-ide-extensions.adoc[]
 ** xref:extensions-for-microsoft-visual-studio-code-open-source.adoc[]
diff --git a/modules/administration-guide/pages/configuring-advanced-authorization.adoc b/modules/administration-guide/pages/configuring-advanced-authorization.adoc
new file mode 100644
index 0000000000..410e37d516
--- /dev/null
+++ b/modules/administration-guide/pages/configuring-advanced-authorization.adoc
@@ -0,0 +1,54 @@
+:_content-type: PROCEDURE
+:description: Configuring advanced authorization
+:keywords: authorization, user, group
+:navtitle: Configuring advanced authorization
+// :page-aliases:
+
+[id="configuring-advanced-authorization"]
+= Configuring advanced authorization
+
+You can determine which users and groups are allowed to access {prod-short}.
+
+.Prerequisites
+
+* An active `{orch-cli}` session with administrative permissions to the destination {orch-name} cluster. See {orch-cli-link}.
+
+.Procedure
+
+. Configure the `CheCluster` Custom Resource. See xref:using-the-cli-to-configure-the-checluster-custom-resource.adoc[].
++
+[source,yaml,subs="+quotes,+attributes"]
+----
+spec:
+  networking:
+    auth:
+      advancedAuthorization:
+        allowUsers:
+          - __<allow_users>__ <1>
+        allowGroups:
+          - __<allow_groups>__ <2>
+        denyUsers:
+          - __<deny_users>__ <3>
+        denyGroups:
+          - __<deny_groups>__ <4>
+----
+<1> List of users allowed to access {prod}.
+<2> List of groups of users allowed to access {prod} (for {ocp} only).
+<3> List of users denied access to {prod}.
+<4> List of groups of users denied to access {prod} (for {ocp} only).
++
+. Wait for the rollout of the {prod-short} server components to be completed.
+
+[NOTE]
+====
+
+To allow a user to access {prod-short}, add them to the `allowUsers` list. Alternatively, choose a group the user is a member of and add the group to the `allowGroups` list.
+To deny a user access to {prod-short}, add them to the `denyUsers` list. Alternatively, choose a group the user is a member of and add the group to the `denyGroups` list.
+If the user is on both `allow` and `deny` lists, they are denied access to {prod-short}.
+
+If `allowUsers` and `allowGroups` are empty, all users are allowed to access {prod-short} except the ones on the `deny` lists.
+If `denyUsers` and `denyGroups` are empty, only the users from `allow` lists are allowed to access {prod-short}.
+
+If both `allow` and `deny` lists are empty, all users are allowed to access {prod-short}.
+
+====