Cisco Cisco Web Security Appliance S670 User Guide

Create two user defined policy groups of the same type, such as Access Policies, and configure them 
both to use the Identity group with the authentication sequence you defined in step 

Configure the first policy group to only apply to users in one realm, such as RealmA. You can do this by 
specifying a particular realm in the sequence, or by using authentication groups, or entering specific 
usernames.

Configure the second policy group to only apply to users in the other realm, such as RealmB. You can 
do this by specifying a particular realm in the sequence, or by using authentication groups, or entering 
specific usernames.

When you configure the appliance in this way, any client that sends a request for a URL must exist in 
either realm in the sequence (RealmA or RealmB) in order to pass authentication at the Identity level. 
Once an Identity has been assigned to the client request, the Web Proxy can compare the client request 
against the other policy types and determine which policy group, such as an Access Policy group, to 
match and then apply those control settings. In this example, the Web Proxy matches users in RealmA 
with the policy group configured in step 

, and matches users in RealmB with the policy group 

configured in step