We don't need user-id enabled for this.
If you are using a username to filter, check the Globalprotect/authd.logs to see what username is passed to the firewall.
use domain\username format to filter the config.
firstname.lastname@example.org, then use domain.com\username as the source user.
Hope this helps.
... View more