My previous suggestion on changing the confd.conf parameter is meant to disable cli access through ssh for the entire system. If this is to be done on a per user basis, you need to use the NACM rules and define a command rule to deny all CLI operation access to for the group that the user belongs to. One way to do it is to add the following cmdrule to the rule-list for that group in aaa_init.xml as follows:
<cmdrule xmlns="http://tail-f.com/yang/acm">
<name>cli</name>
<context>cli</context>
<command>*</command>
<access-operations>*</access-operations>
<action>deny</action>
</cmdrule>