diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java
index d2a7cf1720ab058984be9e230adca5331a07287f..f0120bae2cb325a7c222f5d07601a27e761fcce5 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java
@@ -86,11 +86,12 @@ public interface PerunAdapterMethods {
 	 * Perform check if user can access service based on his/her membership
 	 * in groups assigned to facility resources
 	 *
-	 * @param facility Facility object
-	 * @param userId ID of user
+	 * @param facility                  Facility object
+	 * @param userId                    ID of user
+	 * @param accessControlDisabledAttr
 	 * @return TRUE if user can access, FALSE otherwise
 	 */
-	boolean canUserAccessBasedOnMembership(Facility facility, Long userId);
+	boolean canUserAccessBasedOnMembership(Facility facility, Long userId, String accessControlDisabledAttr);
 
 	/**
 	 * Fetch facility attribute values
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java
index 36b09cd6dfba7e2291543e7cc2e8123a26ab69e0..1160ca0d29d375e6582873ab39a0c7fa0c91f940 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java
@@ -62,12 +62,12 @@ public class PerunAdapterImpl extends PerunAdapter {
     }
 
     @Override
-    public boolean canUserAccessBasedOnMembership(Facility facility, Long userId) {
+    public boolean canUserAccessBasedOnMembership(Facility facility, Long userId, String accessControlDisabledAttr) {
         try {
-            return this.getAdapterPrimary().canUserAccessBasedOnMembership(facility, userId);
+            return this.getAdapterPrimary().canUserAccessBasedOnMembership(facility, userId, accessControlDisabledAttr);
         } catch (UnsupportedOperationException e) {
             if (this.isCallFallback()) {
-                return this.getAdapterFallback().canUserAccessBasedOnMembership(facility, userId);
+                return this.getAdapterFallback().canUserAccessBasedOnMembership(facility, userId, accessControlDisabledAttr);
             } else {
                 throw e;
             }
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java
index e38c288acd3e073682b02a1838d76c84662036c8..6f93e3a182c793e44a713acd6a849a476752e30f 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java
@@ -142,14 +142,14 @@ public class PerunAdapterLdap extends PerunAdapterWithMappingServices implements
 	}
 
 	@Override
-	public boolean canUserAccessBasedOnMembership(Facility facility, Long userId) {
-		Set<Long> groupsWithAccessIds = getGroupIdsAssignedToFacility(facility.getId(), null);
+	public boolean canUserAccessBasedOnMembership(Facility facility, Long userId, String accessControlDisabledAttr) {
+		Set<Long> groupsWithAccessIds = getGroupIdsAssignedToFacility(facility.getId(), accessControlDisabledAttr);
 		if (groupsWithAccessIds == null || groupsWithAccessIds.isEmpty()) {
 			return false;
 		}
 
 		Set<Long> userGroupIds = getGroupIdsWhereUserIsMember(userId, null);
-		if (userGroupIds == null || userGroupIds.isEmpty()) {
+		if (userGroupIds.isEmpty()) {
 			return false;
 		}
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java
index 66db96adb1f2e2819c6e909e76f0de6486bfc3d6..05501b4c4395eb565b6b4d45ecb4920573d4d0e7 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java
@@ -132,12 +132,12 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements
 	}
 
 	@Override
-	public boolean canUserAccessBasedOnMembership(Facility facility, Long userId) {
+	public boolean canUserAccessBasedOnMembership(Facility facility, Long userId, String ignoreAttr) {
 		if (!this.connectorRpc.isEnabled()) {
 			return true;
 		}
 
-		List<Group> activeGroups = getGroupsWhereUserIsActiveByFacility(facility.getId(), userId);
+		Set<Group> activeGroups = getGroupsWhereUserIsActive(facility.getId(), userId, ignoreAttr);
 		return !activeGroups.isEmpty();
 	}
 
@@ -1002,6 +1002,19 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements
 		return groups;
 	}
 
+	private Set<Group> getGroupsWhereUserIsActiveByFacility(Long facilityId, Long userId) {
+		if (!this.connectorRpc.isEnabled()) {
+			return new HashSet<>();
+		}
+
+		Map<String, Object> map = new LinkedHashMap<>();
+		map.put("facility", facilityId);
+		map.put("user", userId);
+		JsonNode jsonNode = connectorRpc.post(USERS_MANAGER, "getGroupsWhereUserIsActive", map);
+
+		return new HashSet<>(RpcMapper.mapGroups(jsonNode));
+	}
+
 	private Set<Resource> getResourcesAssignedToFacility(Long facilityId, Long userId, String ignoreAttribute) {
 		if (!this.connectorRpc.isEnabled()) {
 			return new HashSet<>();
@@ -1010,7 +1023,7 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements
 		Set<Resource> result = new HashSet<>();
 		for (Resource resource : resources) {
 			PerunAttributeValue attrValue = getResourceAttributeValue(resource.getId(), ignoreAttribute);
-			if (attrValue == null || attrValue.isNullValue()) {
+			if (attrValue == null || attrValue.isNullValue() || !attrValue.valueAsBoolean()) {
 				result.add(resource);
 			} else {
 				log.debug(
@@ -1251,19 +1264,6 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements
 		return true;
 	}
 
-	private List<Group> getGroupsWhereUserIsActiveByFacility(Long facilityId, Long userId) {
-		if (!this.connectorRpc.isEnabled()) {
-			return new ArrayList<>();
-		}
-
-		Map<String, Object> map = new LinkedHashMap<>();
-		map.put("facility", facilityId);
-		map.put("user", userId);
-		JsonNode jsonNode = connectorRpc.post(USERS_MANAGER, "getGroupsWhereUserIsActive", map);
-
-		return RpcMapper.mapGroups(jsonNode);
-	}
-
 	private Map<Long, Vo> convertVoListToMap(List<Vo> vos) {
 		if (!this.connectorRpc.isEnabled()) {
 			return new HashMap<>();
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
index 9c92242b0b3bebdb2381a21317eae40277eed9bb..40929bae022bc5c3f4e8feabe8828f6334226ee1 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
@@ -31,6 +31,11 @@ import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.STATE;
  *
  * Configuration:
  * - based on the configuration of bean "facilityAttrsConfig"
+ * Configuration of filter (replace [name] part with the name defined for the filter):
+ * <ul>
+ *     <li><b>filter.[name].accessControlDisabledAttr</b> - resource attribute which triggers if resource assigned
+ *     groups should not be used for controlling access. When not specified, all groups will be used.</li>
+ * </ul>
  * @see FacilityAttrsConfig
  * @see cz.muni.ics.oidc.server.filters.AuthProcFilter (basic configuration options)
  *
@@ -39,15 +44,19 @@ import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.STATE;
 @Slf4j
 public class PerunAuthorizationFilter extends AuthProcFilter {
 
+	protected static final String ACCESS_CONTROL_DISABLED_ATTR = "accessControlDisabledAttr";
+
 	private final PerunAdapter perunAdapter;
 	private final FacilityAttrsConfig facilityAttrsConfig;
 	private final PerunOidcConfig config;
+	private final String accessControlDisabledAttr;
 
 	public PerunAuthorizationFilter(AuthProcFilterInitContext ctx) throws ConfigurationException {
 		super(ctx);
 		this.perunAdapter = ctx.getPerunAdapterBean();
 		this.config = ctx.getPerunOidcConfigBean();
 		this.facilityAttrsConfig = ctx.getBeanUtil().getBean(FacilityAttrsConfig.class);
+		this.accessControlDisabledAttr = ctx.getProperty(ACCESS_CONTROL_DISABLED_ATTR, null);
 	}
 
 	@Override
@@ -65,7 +74,7 @@ public class PerunAuthorizationFilter extends AuthProcFilter {
 		}
 
 		return this.decideAccess(facility, user, req, res, params.getClientIdentifier(),
-				perunAdapter, facilityAttrsConfig);
+				perunAdapter, facilityAttrsConfig, accessControlDisabledAttr);
 	}
 
 	@Override
@@ -73,9 +82,14 @@ public class PerunAuthorizationFilter extends AuthProcFilter {
 		return false;
 	}
 
-	private boolean decideAccess(Facility facility, PerunUser user, HttpServletRequest req,
-								 HttpServletResponse response, String clientIdentifier, PerunAdapter perunAdapter,
-								 FacilityAttrsConfig facilityAttrsConfig)
+	private boolean decideAccess(Facility facility,
+								 PerunUser user,
+								 HttpServletRequest req,
+								 HttpServletResponse response,
+								 String clientIdentifier,
+								 PerunAdapter perunAdapter,
+								 FacilityAttrsConfig facilityAttrsConfig,
+								 String accessControlDisabledAttr)
 	{
 		Map<String, PerunAttributeValue> facilityAttributes = perunAdapter.getFacilityAttributeValues(
 				facility, facilityAttrsConfig.getMembershipAttrNames());
@@ -85,7 +99,7 @@ public class PerunAuthorizationFilter extends AuthProcFilter {
 			return true;
 		}
 
-		if (perunAdapter.canUserAccessBasedOnMembership(facility, user.getId())) {
+		if (perunAdapter.canUserAccessBasedOnMembership(facility, user.getId(), accessControlDisabledAttr)) {
 			log.info("{} - user allowed to access the service", getFilterName());
 			return true;
 		} else {