If you have not configured a next-generation firewall as a master device or configured a Cloud Identity Engine to populate users and groups in security policy rules, you can use long- or short-form distinguished name (DN) entries in Strata Cloud Manager and Panorama instead. Prisma Access uses the DN entries to evaluate the User-ID-based policies you have configured in Strata Cloud Manager and Panorama.

Long DN Name format: cn=admin,ou=standard,ou=groups,ou=productionad,dc=paloaltonetworks,dc=com

Common Name/Short Name format: paloaltonetworks.com\admin

For example, given a User named Bob Alice who works in IT and is located on the first floor, a matching security policy may have cn=first_floor, ou=it_staff, dc=dev, dc=example, dc=com if the policy is to be applied to all IT staff on the first floor, or cn=Bob Alice, ou=it_staff, dc=dev, dc=example, dc=com if the policy is only to be applied to Bob Alice.