Service ACLs are configured in Server Admin, can be applied to all services or just some services. You can specify if you want the service to be allowed by All users/groups or just specific users/groups.
If you specify by specific users/groups, you can then build a list of users/groups to allow for that service.
(The GUI does not allow you to deny per service or per user, only allow to specific users/groups)