If a user in your organization has multiple
responsibilities, that user might have multiple usernames (accounts),
each with distinct privileges for accessing a particular set of
services, but with all the usernames sharing the same IP address
(the client system of the user). However, the User-ID agent can
map any one IP address (or IP address and port range for terminal server
users) to only one username for enforcing policy, and you can’t
predict which username the agent will map. To control access for
all the usernames of a user, you must make adjustments to the rules,
user groups, and User-ID agent.
For example, say the firewall
has a rule that allows username corp_user to access email and a
rule that allows username admin_user to access a MySQL server. The
user logs in with either username from the same client IP address.
If the User-ID agent maps the IP address to corp_user, then whether
the user logs in as corp_user or admin_user, the firewall identifies
that user as corp_user and allows access to email but not the MySQL
server. On the other hand, if the User-ID agent maps the IP address
to admin_user, the firewall always identifies the user as admin_user
regardless of login and allows access to the MySQL server but not
email. The following steps describe how to enforce both rules in
this example.