Just don't grant them access.
If you assign a user to a role that has "read" access to an index, then the user has access, otherwise they don't have access.
It's up to you to construct your roles so that users aren't given access to something they shouldn't have.