diff --git a/urllogin.inc b/urllogin.inc
index ab58756..7575f7a 100644
--- a/urllogin.inc
+++ b/urllogin.inc
@@ -79,6 +79,17 @@ function urllogin_admin_settings() {
        <em>profile_firstname, profile_lastname</em>.'),
     '#default_value' => variable_get('urllogin_useprofile', 0),
   );
+  $roles = user_roles(TRUE);
+  // Remove the authenticated user role, since excluding this role would result
+  // in nobody being able to use the login links.
+  unset($roles[DRUPAL_AUTHENTICATED_RID]);
+  $form['urllogin_excluded_roles'] = array(
+    '#type' => 'checkboxes',
+    '#title' => t('Excluded roles'),
+    '#description' => t('Exclude roles from being able to login using the URLlogin module.'),
+    '#options' => array_map('check_plain', $roles),
+    '#default_value' => variable_get('urllogin_excluded_roles'),
+  );
   return system_settings_form($form);
 }
 
@@ -164,6 +175,16 @@ function _urllogin_testuid($uid, &$resultmsg) {
     $resultmsg = t('User %uid denied access', array('%uid' => $uid));
     return NULL;
   }
+  if (!empty($account->roles)) {
+    $excluded_roles = variable_get('urllogin_excluded_roles', array());
+    $excluded_roles = array_filter($excluded_roles);
+    $intersect = array_intersect_key($excluded_roles, $account->roles);
+    if (count($intersect)) {
+      $resultmsg = t('User has a role that has been excluded');
+      drupal_set_message(t('The user you are trying to login with is not authorized to login using URLlogin.'));
+      return NULL;
+    }
+  }
   $resultmsg = t('User %username (%uid) successfully validated',
     array('%username' => $account->name, '%uid' => $uid));
   return $account;