SFA only allows to control session initiation (e.g. RDP or SSH) from the SFA-host to a remote host.
It does not provide any fine grained resource protection / access control.
For this you would need the PAM Server Control Windows Endpoint.
Here is the documentation which should give you ideas what options you have with this component: