Prisma Access requires that you configure IP address-to-username mapping to consistently enforce user-based policy for mobile users and users at remote network locations. In addition, you need to configure username to user-group mapping if you want to enforce policy based on group membership.

To select the groups from a drop-down list when you create and configure policies in Panorama, you can also configure Panorama to obtain the list of user groups retrieved from the username-to-user group mapping.

The following sections provide an overview and the steps you perform to configure and implement User-ID and use the Cloud Identity Engine to get IP address-to-username and username-to-user group mapping in Prisma Access.