Typically you would control access to libraries by modifying the permissions on the folder that contains the library.
If that folder has access granted to SASUSERS (the group that contains all users), then any new user would have access.
If you intend to limit access to SASUSERS and grant access to a specific group, be sure the SAS General Servers group is a member of that new group or otherwise has access to ensure shared servers like Pooled Workspace and Stored Process can access it.
Here is the documentation on the topic:

Metadata Authorization Model
https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n0iqe26rd4ui8ln1sqg5g7cs4qhc.htm

The proper strategy for permissions in metadata is: deny globally, allow locally.

So you should remove SASUSERS access to all your libraries, and allow it specifically for each group.

Here's what we have (and I feel quite confident in how it's done because I was guided by none other than David Stern!).

We have quite a few grroups of users with widely ranging areas of analysis. This means that we have a large number of libraries (over 300 at the last count), many of which are ODBC links to databases. Each has its own set of authorised users. So, pretty much, each library is in its own folder, all within the /Shared Data folder. ACTs are applied to each of those folders, which grant all access to one group and just RM,R to another. This ensures that those permissions are inherited by an registered tables.

But in order for users to see the folders and their contents, SASUSERS needs RM access to the /Shared Data folder and that would be inherited by all its child folders. So we have another ACT which we apply to each child folder which denies all permissions to SASUSERS. The specific ACT for a child folder overrides this for the  groups which it specifies.

I hope this is useful.