Use Long-Form DN Entries to Implement Group-Based Policy
Focus
Focus

Use Long-Form DN Entries to Implement Group-Based Policy

Table of Contents

Use Long-Form DN Entries to Implement Group-Based Policy

If you have a standalone Prisma Access deployment that does not use a Master Device, you can use groups in security policy rules using long-form distinguished name (DN) entries in Panorama. Prisma Access uses the DN entries to evaluate the User-ID-based policies you have configured in Panorama.
For example, given a User named Bob Alice who works in IT and is located on the first floor, a matching security policy may have cn=first_floor, ou=it_staff, dc=dev, dc=example, dc=com if the policy is to be applied to all IT staff on the first floor, or cn=Bob Alice, ou=it_staff, dc=dev, dc=example, dc=com if the policy is only to be applied to Bob Alice.