perhaps im just to dissy ..

how can i restrict the access for some vpn client to only rdp?
i tried it in the user permission with an entry like this:
192.168.0.50/32:tcp/3389
192.168.0.50/32:upd/3389
but the user still can get access to other services in the company-network.
what am i doing wrong?
thanks and stay healthy