Use Long-Form DN Entries to Implement User- and Group-Based Policy
If you have not configured a next-generation firewall
as a
master device or
configured a
Cloud Identity Engine to populate
users and groups in security policy rules, you can use long-form
distinguished name (DN) entries in Panorama instead. Prisma Access
uses the DN entries to evaluate the User-ID-based policies you have
configured in Panorama.
For example, given a User named Bob Alice who
works in IT and is located on the first floor, a matching security
policy may have cn=first_floor, ou=it_staff, dc=dev, dc=example,
dc=com if the policy is to be applied to all IT staff
on the first floor, or cn=Bob Alice, ou=it_staff, dc=dev,
dc=example, dc=com if the policy is only to be applied
to Bob Alice.