IP addresses are no longer an effective proxy for end users. With user-based access controls, organizations can allow access to sanctioned applications based on user identity information, rather than IP address. This brief discusses key considerations when implementing user-based access controls to minimize the threat exposure unknowingly caused by the end user community.