use sssd-simple to restrict access to certain group

I have configured sssd to authenticate against ldap however i want to restrict the group that can connect to the server.

the sssd.conf below allows users that are not member of the mentioned group to connect. why?

how make sure only user member of certain group can login? and not the others.

[sssd]
config_file_version = 2
services = nss, pam
domains = example.com
#debug_level=0x1310

[nss]
filter_users = root
filter_groups = root

[pam]

[domain/example.com]
#debug_level=0x1310
debug_level = 0x3ff0
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
enumerate = true
cache_credentials = false
ldap_tls_reqcert = never

ldap_schema = rfc2307bis

### BIND ###
ldap_default_bind_dn=cn=zLinux LDAP Browser,OU=Technical Accounts,OU=accounts,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = xxxxx

### SERVER ###
ldap_uri = ldaps://dc103.example.com:636
ldap_chpass_uri = ldaps://dc103.example.com:636
ldap_backup_uri = ldaps://dc103.example.com:636
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_connection_expire_timeout = 60

### BASE ###
ldap_search_base = OU=Accounts,DC=example,DC=com


### ATTRIBUTES MAPPING ###
ldap_user_name = sAMAccountName
ldap_user_gecos = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName



### GID ACCESS CONTROL ###
access_provider = simple
simple_allow_groups = postgresu@example.com