A user gains access to an application one of two ways, being given access directly, or by belonging to a group that has access. In order to deny a user access to an application, it must be removed from both the users account, and all the users groups.