Understanding the Single User Identity

This article explains the changes regarding unifying User Awareness users and SDP users into a single user identity.


Managing users and enforcing policies are a key component of an administrator's role in controlling user access. Cato has enhanced how you manage users and enforce policies by unifying users into a single user identity. Previously, there were User Awareness users and SDP users, they have been unified into a single user. This simplifies operations for administrators and increases visibility when applying policies.

This diagram summarizes the changes:


Use Case - Enforcing an Internet Firewall Policy

In an Internet Firewall policy, a User Awareness user is included in a rule that blocks access to gambling apps.

  • Currently, access to gambling apps are only blocked behind a site. To also block gambling apps remotely, you need to add the SDP User to the rule

  • With a single user identity, gambling apps are blocked behind a site or remotely

Understanding the Improvements to your Account

The single user identity includes several improvements for your account.

User Awareness Users and SDP Users are Unified into a Single Identity

Previously there are two types of users in the Cato Management Application:

  • User Awareness users (Users) who can access the network behind a site

  • SDP users (SDP Users) who can access the network remotely

The single user identity in the Cato Management Application is called User. This creates a more intuitive way to apply policies that keep your network secure.

User Awareness does not identify disabled users.

All Users Included on the Users Directory Page

All users in your account are shown on the Users Directory page with a clear indication of users that have a license. This provides a single location for visibility of all your users.


Policies are Enforced Wherever the User Connects

Previously User Awareness users only have policies enforced when they connect behind a site, and SDP Users only have policies enforced when they connect remotely. For the same policy to apply behind a site and remotely, admins need to include both a User Awareness user and a SDP user.




With the single user identity, after you add a User to a policy, it is enforced whether the user is located behind a site or remotely. This provides consistent experience for managing users across the system and you no longer have to manage two user types in all your policies and configurations.



Changes to User Groups

  • All existing user groups are updated to only include a single user identity.

    For example, a user group previously contained two items for Anna Bay, SDP user and User Awareness user. After the enhancement, the user group contains a single user identity for Anna Bay. The policies are enforced for Anna Bay whether she is located at the office or working from home.

  • For the system group All SDP Users, policies are only enforced when working remotely. The polices are NOT enforced when the users are located at the office.

  • These are the new system user groups:

    • All Users - policies are enforced whether users in this group are located at the office or working remotely.

    • All Manual Users - Users created manually in the Cato Management Application (only for assigning licenses, can't use in policies)

    • All SCIM Users - Users provisioned from an IdP using SCIM (only for assigning licenses, can't use in policies)

    • All LDAP Users - Users provisioned from an IdP using LDAP (only for assigning licenses, can't use in policies)


Updates to SCIM and LDAP User Provisioning

These are the updates to how users are provisioned with both SCIM and LDAP.

Assigning a License From the New License Assignment Page

A license is required for a user to connect to the network remotely. Licenses are no longer assigned as part of user provisioning (SCIM or LDAP) but are assigned and managed for Users and User groups from the new Access > License Assignment page. This increases visibility for administrators as they can manage licenses from a single page.

Users must be provisioned with an email address to be assigned a license, First Name and Last Name are not required fields. 

Users are sent invitation emails after the license is assigned. 



No Mandatory Fields

All users are created without mandatory fields e.g., email address. 

In Azure, users can authenticate with email or UPN depending on your Azure configuration. 


Updates to LDAP Provisioning: Importing Active Directly Groups

Groups that you select are synced automatically without needing to specify if the group is User Awareness users or SDP users



Identify Manually Created Users

You can identify manually created users behind a site using the Cato Identity Agent. Users are required to authenticate once.

Was this article helpful?

2 out of 2 found this helpful


Add your comment