How the User-ID Agent Include/Exclude List Works

How the User-ID Agent Include/Exclude List Works

Created On 09/25/18 19:43 PM - Last Modified 04/25/24 22:17 PM


The article explains how to configure the include/exclude list on the user-id agent.


  • User-ID Agent
  • Include / Exclude List



The Include/Exclude list is applied to networks and hosts identified through the User-ID Agent.  The User-ID Agent tries to identify users for the IP range designated as Include.  Likewise, the User-ID Agent does not identify users for the network address range designated as Exclude.  Note that this is different from the user and group ignore lists, and is only concerned with which networks to include or exclude for the purposes of mapping users.



If the Include/Exclude list is empty, users on any network can be identified and mapped by the User-ID Agent.  When an entry is added to the Include list, there is an implicit deny for any other IP address.  The order of entries in the Include/Exclude list is important, as the list is processed top to bottom.


For example, to configure the exclusion of subnet ( in the larger subnet (

  1. Add a specific subnet and designate as Exclude.
  2. Add the larger, encompassing subnet and designate as Include.

    Screen Shot 2013-02-13 at 3.47.38 PM.png

Note: If the rules in the above example were reversed with the Include rule on top, then the User-ID Agent would allow the mapping on then disregard the Exclude rule for

Note: If only one or more networks are excluded, at least one network must be included or the User-ID agent may exclude all subnets. If there are only one or more include networks, all other networks are assumed to be excluded.



  • Print
  • Copy Link

Choose Language