pam_group —
Group PAM module
[service-name] module-type
  control-flag pam_group
  [arguments]
The group service module for PAM accepts or rejects users based on their
  membership in a particular file group.
The following options may be passed to the
    pam_group module:
  - deny
- Reverse the meaning of the test, i.e., reject the applicant if and only if
      he or she is a member of the specified group. This can be useful to
      exclude certain groups of users from certain services.
- fail_safe
- If the specified group does not exist, or has no members, act as if it
      does exist and the applicant is a member.
- group=groupname
- Specify the name of the group to check. The default is
      “wheel”.
- root_only
- Skip this module entirely if the target account is not the superuser
      account.
- authenticate
- The user is asked to authenticate using his own password.
Thepam_group module and this manual page were developed
  for the FreeBSD Project by ThinkSec AS and NAI Labs,
  the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR
  contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS
  research program.