* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/)
* [Firewall](https://www.paloaltonetworks.com.au/blog/category/firewall/)
* 5 Key Considerations When...

# 5 Key Considerations When Implementing User-Based Access Controls

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2017%2F01%2F5-key-considerations-implementing-user-based-access-controls%2F)  
[](https://twitter.com/share?text=5+Key+Considerations+When+Implementing+User-Based+Access+Controls&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2017%2F01%2F5-key-considerations-implementing-user-based-access-controls%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2017%2F01%2F5-key-considerations-implementing-user-based-access-controls%2F&title=5+Key+Considerations+When+Implementing+User-Based+Access+Controls&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2017/01/5-key-considerations-implementing-user-based-access-controls/&ts=markdown)  
\[\](mailto:?subject=5 Key Considerations When Implementing User-Based Access Controls)  
Link copied  
By [Stephanie Johnson](https://www.paloaltonetworks.com/blog/author/stephanie-johnson/?ts=markdown "Posts by Stephanie Johnson")  
Jan 18, 2017  
5 minutes  
[Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)  
[Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)  
[next-generation firewall](https://www.paloaltonetworks.com/blog/tag/next-generation-firewall/?ts=markdown)  
[NGFW](https://www.paloaltonetworks.com/blog/tag/ngfw/?ts=markdown)  
[User-ID](https://www.paloaltonetworks.com/blog/tag/user-id/?ts=markdown)

End users, the very community of individuals chartered to preserve the integrity of your business, embody a profound vulnerability point within your network's security infrastructure. By the year 2020, IDC expects mobile workers, in the United States alone, will account for nearly three quarters of the total workforce^\*^. As a result, IP addresses are no longer an effective proxy for end users as they are constantly moving to different physical locations and using multiple devices, operating systems, and application versions to access the data they need. It's now critical to an organization's risk posture to identify who the network's users are -- beyond IP address -- and the inherent risks they bring based on the device being used.

To control the threat exposure unknowingly caused by the end user community and protect your organization from breaches, leverage User-ID, user-based access controls, on your Palo Alto Networks next-generation firewall (NGFW). With User-ID, you can allow access to sanctioned applications based on user identity information, rather than IP address, providing visibility into who is using what applications on the network, and who is transferring files and possibly introducing threats into your organization.

When applied correctly, user-based access controls can reduce incident response times and strengthen your organization's security posture. Outlined below are five key points to consider when applying User-ID technology to your NGFW security infrastructure.

### 1. Understand the organization's user environment and architecture

To do this, ask yourself the following questions:

* *Which locations does my organization operate in?* An organization might operate in several different locations, such as a main campus, branch offices or remote locations.
* *What authentication method is used in each location?* Do users log in directly to directory servers, or are they authenticated and authorized on wireless LAN (WLAN) controllers, VPN systems or network access control (NAC) devices?
* *What are the operating systems (OS) in each location?* There could be heterogeneous environments with Windows®, Mac and Linux capabilities, or homogenous environments with only one OS.
* *How do endpoints log on to the network?* Are endpoints identified and authenticated prior to logging on to the network?

### 2. Figure out supported user-to-IP mapping strategies, and determine the ones you will use

Figure out what user-to-IP mapping strategies are supported by your next-generation firewall. A number of mechanisms are typically supported to identify users -- third party proxy servers, WLAN controllers, terminal services agents, directory service logs, and more.

Based on discoveries in the first step, select the user-to-IP mapping strategies that apply to your environment.

### 3. Implement the selected user-to-IP mapping strategy for user visibility

Implement the selected strategy to gain visibility into user's behavior. Collaboration with other team members, such as IT architects, security operators and network admins, is critical here.

This visibility will enable the identification of activities and usage patterns tied to users, instead of IP address, including insights such as top users and browsing history; top apps accessed by users in the marketing group in the last 24-hours; or Software-as-a-Service (SaaS) application usage broken down by user -- all providing valuable data points around which to formulate appropriate user-based access controls.

Share the visibility reports and data with other team members with whom you collaborated.

### 4. Ensure business policies exist to justify user-based access controls

Before rolling out User-ID-based controls, ensure supporting business policies exist that define access parameters. Typically, such policies are established by human resources (HR) and legal. If such policies do not exist, collaborate with HR and legal to establish policies, leveraging the user-based reports as your guide.

In addition, when defining user-based access controls, it's best to do so in terms of groups, rather than individual users. Instead of marketers, Jane, John and Joe, think of the three individual users as the marketing group. This will go a long way to simplify policies and keep administrative overhead to a minimum.

### 5. Implement user-based access policy

Once corresponding business policy is aligned and user groups defined, user-based access controls can be implemented. Create a list of security rules that whitelist acceptable applications and websites, and deny access to ALL else, and then implement the policy, one group at a time.

The user groups impacted by the new access controls will likely have questions. Communication is key here. Let the impacted user groups know what you plan to do and when you plan to do it. Organizations can also consider forming a special incident response team to field the higher-than-average volume of inquiries related to the implementation to ease the minds of users and drive a smooth execution.

With these considerations in mind, implement User-ID on your Palo Alto Networks NGFW security infrastructure to defend against successful cyberattacks and make the most of your security investment.

To learn more about the benefits of leveraging User-ID, user-based access controls, on your Palo Alto Networks NGFW:

* Register for the "[**How to Implement User-based Controls for Cybersecurity**](http://go.paloaltonetworks.com/userid011817)" webinar on January 18, 2017
* Check out the [**PAN-OS Administrator's Guide**](https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id)
* Visit the Palo Alto Networks [**Live Community**](https://live.paloaltonetworks.com/)

^\*^*U.S. Mobile Worker Forecast, 2015--2020, International Data Corporation (IDC), May 2015*

*** ** * ** ***

## Related Blogs

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### There's No "I" in Secure Network: User-Based Access Policy is a Team Effort](https://www.paloaltonetworks.com.au/blog/2017/01/theres-no-secure-network-user-based-access-policy-team-effort/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### Don't Let Your Users Unknowingly Be the Weak Link in Your Security Infrastructure](https://www.paloaltonetworks.com.au/blog/2017/01/dont-let-users-unknowingly-weak-link-security-infrastructure/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Offer Consistent Protection](https://www.paloaltonetworks.com.au/blog/2018/05/10-things-test-future-ngfw-offer-consistent-protection/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Prevent Successful Ransomware Attacks](https://www.paloaltonetworks.com.au/blog/2018/04/10-things-test-future-ngfw-prevent-successful-ransomware-attacks/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Incorporate Dynamic Lists and Third-Party Threat Intelligence](https://www.paloaltonetworks.com.au/blog/2018/04/10-things-test-future-ngfw-incorporate-dynamic-lists-third-party-threat-intelligence/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 10 Things To Test In Your Future NGFW: Integration Into Your Security Ecosystem](https://www.paloaltonetworks.com.au/blog/2018/04/10-things-test-future-ngfw-integration-security-ecosystem/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language