Instead of relying on just the IP addresses to decide whether to permit or deny, with this userFW ,we will get another criteria to decide upon and that is username or his group membership info, which can be fetched from AD/UAC etc.. In evironments where the IP assigned to a user could change but his username/AD group membership remains constant , so on SRX we can enforce a rule based on this .