Allow specific users to access F5's GUI?

We ran into a similar situation recently. The best way to handle this is to create a separate AD group (something like F5-Admins) that includes only the 5 users who actually need GUI access. Then, in Cisco ISE, update your TACACS policy to reference this new group instead of the broader one with all 10 users.

From there, you can keep your remote-role mapping on the F5 as-is, and only those 5 users will be granted access based on the new group membership. It’s clean, easy to manage, and keeps access tightly controlled.

Alternatively, if you can’t modify AD groups, you could try setting up user-specific remote role entries on the F5 using exact usernames, but that can get messy and is harder to maintain long-term.