diff --git a/inventory/inventory.sh b/inventory/inventory.sh
index 5d5fb0d..cfbdd1a 100755
--- a/inventory/inventory.sh
+++ b/inventory/inventory.sh
@@ -112,14 +112,33 @@ all:
 "
 
 # Loop through each IP in the comma-separated list
+# skip if restricted user and subnet
 IFS=',' read -ra IPS <<< "$IP_LIST"
 for IP in "${IPS[@]}"; do
     ip_check=$(curl -s http://172.25.100.15:15010/ip_check?ip=${IP} | jq .in_subnets)
     echo $ip_check
-
-    inventory_content+="    ${IP}:
+    echo $allsubnet_group
+    echo $SERVER_SUBNET_GROUP
+    # if this is a restricted subnet, then check the group
+    if $ip_check; then
+        echo "Subnet restricted, checking group membership"
+         if [ "$allsubnet_group" == "$SERVER_SUBNET_GROUP" ]; then
+            echo "IP Check Passed, adding endpoint ${IP} to inventory"
+            inventory_content+="    ${IP}:
+      ansible_host: ${IP}
+        
+"
+        else
+            echo "Warning: User ${JENKINS_USER} not member of ${SERVER_SUBNET_GROUP}!"
+            echo "Auth Check Failed for endpoint ${IP}, not adding to inventory"
+        fi
+    # if the subnet is not restricted, just add the endpoint to the inventory
+    else
+        echo "Unrestricted subnet, adding endpoint ${IP} to inventory"
+        inventory_content+="    ${IP}:
       ansible_host: ${IP}
 "
+    fi
 done
 
 inventory_content+="  vars: