How to auto-populate users and groups in policies for Prisma Access device groups on Panorama

• Panorama Managed Prisma Access 
• Group Policies

1. Panorama leverages master device's user and group mapping information to auto-populate them in device group policies.
2. To allow Panorama to collect group mappings, you need to add a device group, then designate next-generation firewall (Hardware or VM-series) that is already fetching LDAP groups as a master device.
3. Since there are no managed firewalls (either Hardware or VM-series) in Prisma Access device groups, some alternatives are as follows,
   1. Add non-Prisma Access device group with master device associated as a parent device group for Prisma Access.

Limitations:
Auto-population of users and groups is only applicable to the parent device group that is associated with the master device. Auto-Population of users/groups is not applicable to the child device groups (the Mobile_User_Device_Group, Remote_Network_Device_Group, or Service_Conn_Device_Group)

OR

1. 2. Run the following command on panorama CLI

set device-group Mobile_User_Device_Group master-device device <MASTER_DEVICE_SERIAL>

Where MASTER_DEVICE_SERIAL is the device serial number of the master device on any other Device group on Panorama

Note: Without this feature, user groups can be configured in long dn format (CN=Group1,DC=mydomain,DC=com) on panorama and pushed to the Prisma Access cloud firewalls.

Retrieve Group Mappings Using a Master Device.