Authentication Services has the concept of layers of access where the more distinct / specific carries more weight in case of conflict.
If a user is specified by name in one access control file and as a member of a group in another access control file then the file which has the user listed by name will take precedence.
There is no option to override this rule. This applies to both the standard users.allow / deny files as well as the service.allow/deny files. However if the user is listed by name in both files then the deny will take precedence.
Please refer to the section “Managing access control” in the Admin Guide for further details.