## Pushing Cloud Identity Engine manage group-mappings to Firewalls ### Procedure In order to push Cloud Identity Engine (CIE) managed group-mappings to the Firewalls, those groups need to be added under the Security Policy first (for example, by specifying one or more users or groups that the firewall retrieves from the Cloud Identity Engine as the Source User).  > [!NOTE] > The firewall collects attributes only for the users and groups that you use in security policy rules, not all users and groups in the directory. #### References 1. Can CIE authenticate user groups for GlobalProtect? Yes, to push Cloud Identity Engine (CIE) managed group mappings to the Firewalls, those groups need to be added under the Security Policy first (for example, by specifying one or more users or groups that the firewall retrieves from the Cloud Identity Engine as the Source User). Kindly refer to the below technical document, [https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkppCAA&lang=en_US%E2%80%A9](https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkppCAA&lang=en_US%E2%80%A9) #paloaltonetworks 2. What does the format look like? The format should match the User Attributes format configured under Device> User Identification> Cloud Identity Engine >User attributes Kindly refer to the below technical document, [https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/configure-the-cloud-identity-engine-as-a-mapping-source-on-the-firewall](https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/configure-the-cloud-identity-engine-as-a-mapping-source-on-the-firewall) #paloaltonetworks ![[Pasted image 20241126033822.png]]![[Pasted image 20241126033835.png]]