diff --git a/manifests/init.pp b/manifests/init.pp
index fc5765c..582d076 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -366,22 +366,6 @@ class ssh (
     validate_array($sshd_config_macs)
   }
 
-  if $sshd_config_denyusers != undef {
-    validate_array($sshd_config_denyusers)
-  }
-
-  if $sshd_config_denygroups != undef {
-    validate_array($sshd_config_denygroups)
-  }
-
-  if $sshd_config_allowusers != undef {
-    validate_array($sshd_config_allowusers)
-  }
-
-  if $sshd_config_allowgroups != undef {
-    validate_array($sshd_config_allowgroups)
-  }
-
   if $ssh_config_hash_known_hosts_real != undef {
     validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
   }
@@ -499,6 +483,35 @@ class ssh (
   $supported_loglevel_vals=['QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE']
   validate_re($sshd_config_loglevel, $supported_loglevel_vals)
 
+  #enable hiera merging for allow groups and allow users
+  if $hiera_merge_real == true {
+    $sshd_config_denygroups_real  = hiera_array('ssh::sshd_config_denygroups',  undef)
+    $sshd_config_denyusers_real   = hiera_array('ssh::sshd_config_denyusers',  undef)
+    $sshd_config_allowgroups_real = hiera_array('ssh::sshd_config_allowgroups',  undef)
+    $sshd_config_allowusers_real  = hiera_array('ssh::sshd_config_allowusers',  undef)
+  } else {
+    $sshd_config_denygroups_real  = $sshd_config_denygroups
+    $sshd_config_denyusers_real   = $sshd_config_denyusers
+    $sshd_config_allowgroups_real = $sshd_config_allowgroups
+    $sshd_config_allowusers_real  = $sshd_config_allowusers
+  }
+
+  if $real_sshd_config_denyusers != undef {
+    validate_array($real_sshd_config_denyusers)
+  }
+
+  if $real_sshd_config_denygroups != undef {
+    validate_array($real_sshd_config_denygroups)
+  }
+
+  if $real_sshd_config_allowusers != undef {
+    validate_array($real_sshd_config_allowusers)
+  }
+
+  if $real_sshd_config_allowgroups != undef {
+    validate_array($real_sshd_config_allowgroups)
+  }
+
   package { $packages_real:
     ensure    => installed,
     source    => $ssh_package_source_real,
diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
index 1b1bc63..95cdc7e 100644
--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@@ -167,14 +167,14 @@ Ciphers <%= @sshd_config_ciphers.join(',') %>
 MACs <%= @sshd_config_macs.join(',') %>
 <% end -%>
 <% if @sshd_config_denyusers -%>
-DenyUsers <%= @sshd_config_denyusers.join(' ') %>
+DenyUsers <%= @sshd_config_denyusers_real.join(' ') %>
 <% end -%>
 <% if @sshd_config_denygroups -%>
-DenyGroups <%= @sshd_config_denygroups.join(' ') %>
+DenyGroups <%= @sshd_config_denygroups_real.join(' ') %>
 <% end -%>
 <% if @sshd_config_allowusers -%>
-AllowUsers <%= @sshd_config_allowusers.join(' ') %>
+AllowUsers <%= @sshd_config_allowusers_real.join(' ') %>
 <% end -%>
 <% if @sshd_config_allowgroups -%>
-AllowGroups <%= @sshd_config_allowgroups.join(' ') %>
+AllowGroups <%= @sshd_config_allowgroups_real.join(' ') %>
 <% end -%>