Have any of you found a successful model for managing granular permissions for users at scale (1500+ users)? We use AD groups, but they've mostly sprawled out of control and it can be challenging to at-a-glance understand what Role/AD group leads to what layer 3 access. Introducing more discipline and oversight into the process might help, but I'm thinking others may have found a better, more scalable way.
Have also considered offloading the access decisions to the firewall layer leaving the Pulse box mostly to handle tunnel termination and authentication.
I think your best bet will be getting AD under control. We use dedicated AD groups for our remote access to give various different roles and make the name mean something. Also, not allowing nested groups within that group (only individual users) will help. Name something like RemoteAccess-RDP, RemoteAccess-View, RemoteAccess-Meetings, RemoteAccess-SSH, etc.