After you configure User-ID mapping in Prisma Access, you need to be able to retrieve the current username-to-user group information for mobile users and users at remote networks. While configuring Group Mapping in the Cloud Identity Engine performs username-to-user group mapping, those user groups are not selectable in security policy rules. You can populate the groups to allow them to be selected in security policy rule drop-down lists by either configuring a next-generation firewall as a Master Device or configuring the Cloud Identity Engine to do so. Alternatively, you can implement User-ID mapping in policies using long-form Distinguished Name (DN) entries.