Cisco Cisco Web Security Appliance S170 사용자 가이드

Every non-Identity policy group specifies at least one Identity group as part of its policy group 
membership. You can configure a non-Identity policy group to use multiple Identity groups, and you can 
specify which users or groups of users are authorized to access the web using the policy group. 

You might want to specify multiple Identity groups in a policy group under the following circumstances:

You have an Identity group defined for HTTP transactions and another Identity group defined for 
native FTP transactions. You can create a single non-Identity policy group that applies to both HTTP 
and native FTP transactions

Separate Identity groups are defined for each authentication realm. You want to create one Access 
Policy group that defines the same access control settings for users in multiple authentication 
realms.

You can also specify All Identities and configure the authenticated users.

 shows a policy group that uses multiple Identities.

If an Identity group becomes disabled, then that Identity group is removed (not disabled) from any 
non-Identity policy group that used it. If the Identity group becomes enabled again, the non-Identity 
policy groups that previously used the Identity do not automatically include the enabled Identity. Identity 
groups become disabled due to a deleted authentication realm or sequence.

This Identity uses an authentication sequence and this policy group 
applies to one realm in the sequence.

Authentication is not used for this Identity.

This Identity allows guest access and applies to users who fail 
authentication.

The specified user groups in this Identity are authorized for this policy 
group.