https://community.checkpoint.com/t5/SASE-and-Remote-Access/Defining-access-per-user/m-p/85895#M10360 Legacy User Access should not be used anymore and Identity Awareness is anyway the recommended way for creating Remote Access rules.<BR />As soon as you want to move to a unified policy, the Legacy User Access objects aren't working/supported and you will not be able to install policy anyway. Wed, 20 May 2020 12:50:44 GMT Norbert_Bohusch 2020-05-20T12:50:44Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Defining-access-per-user/m-p/85863#M10357 <P>Hi there,</P><P>In mobile access portal policy you can add singe user and not necessary use LDAP group and it works just fine.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 504px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6175iD607AC42C39FA679/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>I tried to achieve the same for remote access for VPN users and I couldn't find a way to do this. I could add only LDAP group, but not single user. Is there a way to do this?</P><P>&nbsp;</P> Wed, 20 May 2020 10:34:14 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Defining-access-per-user/m-p/85863#M10357 abihsot__ 2020-05-20T10:34:14Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Defining-access-per-user/m-p/85868#M10358 <P>If you want to allow only a single user you have to use access-roles as source in your policy.&nbsp;</P> <P>Create a role for every user you need and add only the user in the access-role. These users can't be internal users, they can be added only if they defined in a directory referenced by an account unit.</P> <P>Wolfgang</P> Wed, 20 May 2020 10:54:03 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Defining-access-per-user/m-p/85868#M10358 Wolfgang 2020-05-20T10:54:03Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Defining-access-per-user/m-p/85869#M10359 <P>This means I need to enable Identity Awareness blade on the gateway to use access roles. The gateway having Mobile Access do not have Identity Awareness enabled. Thanks for suggestion, I'll give it a try.</P> Wed, 20 May 2020 11:04:43 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Defining-access-per-user/m-p/85869#M10359 abihsot__ 2020-05-20T11:04:43Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Defining-access-per-user/m-p/85895#M10360 Legacy User Access should not be used anymore and Identity Awareness is anyway the recommended way for creating Remote Access rules.<BR />As soon as you want to move to a unified policy, the Legacy User Access objects aren't working/supported and you will not be able to install policy anyway. Wed, 20 May 2020 12:50:44 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Defining-access-per-user/m-p/85895#M10360 Norbert_Bohusch 2020-05-20T12:50:44Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Defining-access-per-user/m-p/86506#M10361 <P>Noted, thanks!</P> Wed, 27 May 2020 14:55:22 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Defining-access-per-user/m-p/86506#M10361 abihsot__ 2020-05-27T14:55:22Z