There are use cases where user-ids are not passed to Gateway due to which user's access to Saas App is blocked.

User-id passed as `unauthenticated user` - WSS PSG or on-prem PSG can pass this to CASB
No user-id header present - this could happen in scenarios where the customer setup policy to bypass auth for some CASB domains (e.g., a UPE customer).

User should be allowed to access Saas Apps for above case scenarios. 

To support `unauthenticated user` from CASB

Add user as
Email `unauthenticated_user@<tenant primary domain>` (e.g., [email protected])
Secondary ID as `unauthenticated user`. NOTE: Secondary ID value should have space in it.

If  no user-id is passed to CloudSOC, contact  support to enable Unauthorized user.
Need to add user as
Email guest@<tenant primary domain> (e.g., [email protected])
Secondary ID is optional