Before proceeding it is important to understand that in Cloud App Security once a policy is matched for any user (target), any subsequent policies will not be applied. In other words if a user is included in multiple policies that have realtime scanning enabled, only the policy with the highest priority will be applied.

For reference, you can check out Adding Data Loss Prevention Policies.

This means that if you wish to exclude one user or a group of users from a policy, they it is necessary to:

• Copy the existing policy
• Modify it as required
• Place it above the original policy in processing order, and;
• Apply it only to the desired users

See the procedure below where CSS files are blocked in the default policy, but we want to allow one user (CAS Test) to send and receive these files:

1. Copy the policy.

   

   ^{Click the image to enlarge.}

   

   ^{Click the image to enlarge.}

2. Modify the policy as required.
   In this example we want to allow CSS files (File Blocking > Blocking List > Extensions to Block).

   

   ^{Click the image to enlarge.}

3. Apply the policy only to desired users (General > Selected Targets)
   While here you can also rename the policy and enable Real Time Scanning.

   

   ^{Click the image to enlarge.}

4. Verify Settings.

   

   ^{Click the image to enlarge.}